Skip to content
API for your app · Backend functions
Base44PortEden

Secure Your Data With Base44

Base44 builds a full app, backend and all, from a prompt. When that app needs Gmail, Drive, or Calendar, the default is a raw OAuth token or provider key sitting in its secrets. Call PortEden's API from a backend function instead, and the app reaches that data with PII redaction, least-privilege scope, and a full audit log, one scoped key in place of provider credentials.

See pricing

Call PortEden from a backend function · Free to start

Works With What You Already Use
Gmail
Gmail
Outlook
Outlook
Google Calendar
Google Calendar
Google Drive
Google Drive
Google Docs
Google Docs
OneDrive
OneDrive
SharePoint
SharePoint
Teams
Teams
Slack
Slack
Notion
Notion
Asana
Asana
Monday
Monday
Linear
Linear
Jira
Jira
Confluence
Confluence
Entra ID
Entra ID
Better Together

What a Base44 App Holds by Default

  • Base44's native paths to outside data are OAuth connectors (Google Workspace, Slack, Notion) and hand-rolled backend functions that store raw API keys or OAuth tokens as per-app secrets. Either way the generated app ends up holding broad, un-redacted credentials.
  • Those credentials carry no field-level redaction and no per-call audit. The app can read whatever the token allows, and you have no log you control of what it actually read.
  • Vibe-coded platforms concentrate risk. In July 2025, Wiz disclosed a critical authentication bypass in Base44 itself that exposed private apps before Wix patched it within a day. The lesson is to minimize the secrets and scope any one app holds.
  • Base44 gives app users their own login and role-based access. What it does not give you is governance over the data the app reaches out for. That is the gap PortEden fills.
Wiz Research, Base44 vulnerability (July 2025)
Capability Matrix

Base44 With PortEden: What Your App Gets

PII redaction before data reaches your app
50+ identifier types stripped or tokenized at the boundary
Base44No
+ PortEdenYes
One scoped key instead of raw provider tokens in app secrets
Base44No
+ PortEdenYes
Per-contact, per-folder, per-file scope
Base44No
+ PortEdenYes
Exportable, per-call audit log
Base44No
+ PortEdenYes
Provider token never stored in the app
It stays inside PortEden; the app holds only a PortEden key
Base44No
+ PortEdenYes
Read-only enforcement on writes
Base44No
+ PortEdenYes
Reach Gmail, Outlook, Drive, Calendar, Slack, Notion through one API
Base44Partial
+ PortEdenYes
Register once for the whole workspace
Add PortEden's OpenAPI spec as a workspace Custom Integration
Base44N/A
+ PortEdenYes
API Coverage

Call One Governed API, Not Six Sets of Tokens

Connection: PortEden API from a Base44 backend function, or its OpenAPI spec as a workspace Custom Integration

Backend function (per app)

A Deno backend function calls PortEden's REST API, holding only a scoped PortEden key as a secret. PortEden returns redacted, scoped, audited data.

Workspace Custom Integration

Register PortEden's OpenAPI spec once so every app in the workspace reaches it the same governed way via base44.integrations.custom.

Email, Drive, Calendar, Slack, Notion

One PortEden account fronts every source, so you wire one integration instead of separate OAuth tokens per service.

Tooling Notes
  • Base44 backend functions run TypeScript on the Deno runtime with per-app secrets stored as environment variables, which is where the PortEden API call and key belong.
  • Prefer reuse? Register PortEden's OpenAPI spec as a workspace-level Custom Integration and call it from any app with encrypted workspace secrets.
  • Base44's MCP support is builder-side: it feeds the AI chat context and lets external clients manage apps. It is not the runtime channel a deployed app uses, so PortEden plugs in at the API layer.
  • Store a single scoped PortEden key. Rotate or revoke it without redeploying the app.
  • PortEden redacts 50+ identifier types and logs every call, so the data your app sees is already minimized.

Front Your Base44 App With PortEden in Three Steps

1

Connect a source in PortEden

Sign in to PortEden, connect Gmail, Outlook, Drive, or Calendar, and create a scoped API key. PortEden holds the OAuth token.

2

Add the key as a Base44 secret

Store the PortEden API key as a per-app secret (an environment variable), or as an encrypted workspace secret if you register the Custom Integration.

3

Call PortEden from a backend function

From a Deno backend function or your registered Custom Integration, call PortEden's API. The app receives redacted, scoped, audited data.

Read the developer docs →
Base44 + PortEden

Five-Minute Setup. Free While You Test.

Connect a data source, plug Base44 into PortEden, and put Base44 to work on the data your team actually needs to handle.

developer docs

Frequently Asked Questions

Does this change Base44's own login?
No. Base44 keeps its built-in user authentication and role-based access for app users. PortEden governs a different layer: the outside data your app reaches out for, like Gmail, Drive, or Calendar.
Does my Base44 app still hold a raw provider token?
No. The provider OAuth token stays inside PortEden. Your app holds only a scoped PortEden key as a secret, so there is no broad provider credential embedded in the generated app.
How do Base44 apps call PortEden?
Two ways. From a Deno backend function that calls PortEden's REST API, or by registering PortEden's OpenAPI spec as a workspace-level Custom Integration and calling it from any app via base44.integrations.custom.
Is this the same as Base44's MCP feature?
No. Base44's MCP support is builder-side: it gives the AI chat context and lets external clients manage apps. The channel a deployed app uses to reach data is its backend functions and integrations, which is where PortEden's API plugs in.
What does PortEden see of my app?
Only the API calls your app makes through the firewall: the request, the access-rule decision, and the redacted result. PortEden does not see your build prompts, your app code, or anything that does not hit a PortEden tool.
Why proxy data access through a firewall?
It minimizes the secrets and scope any one app holds. The July 2025 Base44 platform flaw exposed private apps before it was patched. PortEden would not have fixed that specific bug, which was in Base44's own auth, but holding one scoped key instead of raw provider credentials limits what a single app can leak.
How do I revoke access?
Rotate or revoke the PortEden API key, or disconnect the source in PortEden. The app loses access immediately, with no effect on your own sign-in.
What does it cost?
PortEden is free to start. Higher API quotas, SSO, and SIEM export are on paid plans. See pricing for details.

Keep Exploring

Get More From Base44 With PortEden

Five-minute setup. Free tier for solo licensed practitioners. Same AI you already use — now ready for the work your team actually needs to do.

Talk to sales

Rolling out to a whole team? Talk to sales →