How your published app and its data are kept safe
When you build an app with Onplana Maker, the AI writes the code, runs it, and
publishes it to a live onplana.app URL. This page explains how that stays safe,
both for you and for anyone who visits your app, and the one thing that is your
responsibility.
The short version
Section titled “The short version”- Every build runs in an isolated, single-use sandbox. Your app can never see another customer’s app, data, or credentials.
- Your published app is public. Anything in it, including any secret you paste into the code, is readable by anyone who visits the URL.
- App secrets stay off the public page. Store keys in the app secret store, not in your source, and they never ship in the published bundle.
- We scan every publish for hardcoded credentials and warn you if we spot one.
- Published apps are served over HTTPS with a web application firewall, are not search-indexed by default, and can be reported and taken down if abused.
How a build runs
Section titled “How a build runs”The AI agent that builds your app can only write files inside your own app. It cannot run arbitrary commands, reach the network on its own, or read anything outside your project. So even if you paste something unusual into your app description, the result is bounded to your app, which publishes to your own URL.
Your secrets stay off the public bundle
Section titled “Your secrets stay off the public bundle”A published app is static and world-readable at its onplana.app URL. That means
anything embedded in the code, an API key, a password, a token, is visible to anyone
who opens it or views the page source.
So the rule is simple: never hardcode a secret into your app. Use the app secret store instead. Secrets you add there are kept in Onplana’s backend and are never included in the published bundle, the AI agent that builds your app never sees them either.
As a safety net, every publish is scanned for things that look like hardcoded credentials (API keys, tokens, private keys). If we find one, you get a warning at publish time, the publish still succeeds, so a false positive never blocks you, but you should remove the key and move it to the secret store.
What protects a published app
Section titled “What protects a published app”- HTTPS everywhere, with HTTP Strict Transport Security so browsers only ever connect securely.
- A web application firewall in front of every
onplana.appapp. - Not indexed by search engines by default, your app is not advertised to the world unless you share the link.
- Abuse reporting and takedown: anyone can report an app that violates the acceptable-use policy. Reports are reviewed, and an abusive app can be taken offline. If your app is taken down by mistake, you can appeal. See Publishing apps, limits, and reporting abuse.
What you are responsible for
Section titled “What you are responsible for”- Don’t hardcode secrets. Use the app secret store.
- Don’t build or publish abusive content (phishing, malware, spam, anything against the acceptable-use policy), a published app is yours, and you’re accountable for what it does.
- Rotate anything you exposed. If you published a real credential, assume it’s compromised.
Questions
Section titled “Questions”Can another Onplana user see my app or its data while it’s building? No. Each build is isolated in its own sandbox with no path to other tenants.
If I put my Stripe key in the code, is it safe? No, a published app is public, so a key in the code is exposed. Put it in the app secret store instead. We’ll warn you at publish time if we detect one in the code.
Is my app visible to the whole internet the moment I publish? It’s reachable at its URL, but it is not search-indexed by default. It’s discoverable mainly by people you share the link with.
Was this helpful?
Thanks for your feedback!