Skip to content
API for your app · Custom MCP chat connector
LovablePortEden

Secure Your Data With Lovable

Lovable ships a full-stack app from a prompt, and the moment one needs Gmail, Drive, or Calendar, it wants a raw OAuth token wired into the backend. Call PortEden's API from your app instead, and it reaches that data with PII redaction, least-privilege scope, and a full audit log, one scoped key in place of provider credentials in vibe-coded code.

See pricing

Call PortEden from your app's backend · Free to start

Works With What You Already Use
Gmail
Gmail
Outlook
Outlook
Google Calendar
Google Calendar
Google Drive
Google Drive
Google Docs
Google Docs
OneDrive
OneDrive
SharePoint
SharePoint
Teams
Teams
Slack
Slack
Notion
Notion
Asana
Asana
Monday
Monday
Linear
Linear
Jira
Jira
Confluence
Confluence
Entra ID
Entra ID
Better Together

What a Vibe-Coded Lovable App Holds by Default

  • When a Lovable app needs email, Drive, or calendar data, the usual path is a raw provider OAuth token or API key stored in the app's Supabase Edge Function secrets. That single credential carries broad, un-redacted access to the whole account.
  • Lovable's runtime app connectors use one shared OAuth authorization per workspace for every end user of the app, with no field-level redaction and no per-call audit of what the app read.
  • Vibe-coded apps have a track record of leaking exactly this. CVE-2025-48757, a critical issue in Lovable-generated Supabase backends, left tables without row-level security so a public key could read records and API keys from roughly 170 apps before the generator was patched.
  • None of that gives you a record you control of which message or file the app touched. The app holds the keys, and you hold the risk.
CVE-2025-48757 (Lovable Supabase RLS)
Capability Matrix

Lovable With PortEden: What Your App Gets

PII redaction before data reaches your app or its LLM calls
50+ identifier types stripped or tokenized at the boundary
LovableNo
+ PortEdenYes
One scoped key instead of raw provider tokens in app code
LovableNo
+ PortEdenYes
Per-contact, per-folder, per-file scope
LovableNo
+ PortEdenYes
Exportable, per-call audit log
LovableNo
+ PortEdenYes
Provider token never stored in the app's secrets
It stays inside PortEden; the app holds only a PortEden key
LovableNo
+ PortEdenYes
Per-request scope instead of one shared workspace token
Lovable app connectors share one OAuth authorization per workspace
LovableNo
+ PortEdenYes
Read-only enforcement on writes
LovableNo
+ PortEdenYes
Reach Gmail, Outlook, Drive, Calendar, Slack, Notion through one API
LovablePartial
+ PortEdenYes
API & MCP Coverage

Call One API, Skip the Raw Credentials

Connection: PortEden API from your app's Supabase Edge Functions (and custom MCP chat connector for the builder)

Your generated app (runtime)

The app calls PortEden's REST API from a Supabase Edge Function, storing only a scoped PortEden key as a secret. PortEden returns redacted, scoped, audited data.

The Lovable builder agent

Lovable supports custom MCP servers as chat connectors on all plans. Add PortEden's MCP server so the builder works against redacted real data instead of raw exports.

Email, Drive, Calendar, Slack, Notion

One PortEden account fronts every source your app needs, so you wire one integration, not six sets of OAuth tokens.

Tooling Notes
  • Lovable apps run server logic in Supabase Edge Functions with secrets injected at runtime. That is where the PortEden API call belongs, so no provider token ever lives in client code.
  • Store a single scoped PortEden API key as a secret. Rotate or revoke it without touching the app.
  • Lovable supports custom MCP servers as chat connectors on all plans, so the builder agent can also reach PortEden directly during a build.
  • PortEden redacts 50+ identifier types and logs every call, so the data your app and its LLM features see is already minimized.
  • Given the row-level-security issues that have hit vibe-coded apps, keeping raw provider credentials out of the app shrinks the blast radius if it is ever exposed.

Front Your Lovable App With PortEden in Three Steps

1

Connect a source in PortEden

Sign in to PortEden, connect Gmail, Outlook, Drive, or Calendar, and create a scoped API key. PortEden holds the OAuth token.

2

Store the key as a secret

In Lovable, add the PortEden API key to your app's secrets so it is injected into Edge Functions and never exposed in client-side code.

3

Call PortEden from a backend function

Replace raw provider calls with calls to PortEden's API. The app receives redacted, scoped, audited data, and you keep one key instead of provider credentials.

Read the developer docs →
Lovable + PortEden

Five-Minute Setup. Free While You Test.

Connect a data source, plug Lovable into PortEden, and put Lovable to work on the data your team actually needs to handle.

developer docs

Frequently Asked Questions

Does this run the Lovable builder or my deployed app?
Primarily your deployed app. It calls PortEden's API from a Supabase Edge Function, so the running app reaches Gmail, Drive, or Calendar through the firewall. Optionally, because Lovable supports custom MCP servers as chat connectors, the builder agent can reach PortEden during a build too.
Does my Lovable app still hold a raw Google or Microsoft token?
No. The provider OAuth token stays inside PortEden. Your app stores only a scoped PortEden key as a secret, so there is no broad provider credential sitting in vibe-coded code.
How is this different from Lovable's built-in connectors?
Lovable's runtime app connectors use one shared OAuth authorization per workspace, with no field-level redaction and no per-call audit. PortEden adds scope, redaction, and an exportable log, and you can keep it read-only.
Can PortEden see my app's code or my Lovable prompts?
No. PortEden sees the API calls your app makes through the firewall: the request, the access-rule decision, and the redacted result. It does not see your code, your build prompts, or anything that does not hit a PortEden tool.
Why does keeping tokens out of the app matter?
Vibe-coded apps have leaked data and keys. CVE-2025-48757 left Lovable-generated backends without row-level security, exposing records and API keys from roughly 170 apps. Holding one scoped PortEden key instead of raw provider credentials limits what a single app can leak if it is exposed.
Does Lovable support MCP?
Yes, as custom MCP servers added as chat connectors on all plans, which feed the builder agent. The deployed-app path in this setup uses PortEden's REST API from an Edge Function, which is the channel a running app uses to reach data.
How do I revoke access?
Rotate or revoke the PortEden API key, or disconnect the source in PortEden. The app loses access immediately, and your own sign-in is untouched.
What does it cost?
PortEden is free to start. Higher API quotas, SSO, and SIEM export are on paid plans. See pricing for details.

Keep Exploring

Get More From Lovable With PortEden

Five-minute setup. Free tier for solo licensed practitioners. Same AI you already use — now ready for the work your team actually needs to do.

Talk to sales

Rolling out to a whole team? Talk to sales →