Is base44 safe?
Is a base44 app safe to ship?
base44 covers UI, backend entities, and workflow logic in a single tool, which is genuinely convenient for a founder who does not want to pick and wire together a stack. The tradeoff shows up in how those entities handle access by default.
What base44 actually does well
Covers the full app, frontend, backend entities, and workflow automation, without switching tools.
Lowers the setup cost for someone who does not want to choose and configure a separate database and API layer.
Ships working CRUD behavior for new entities immediately, which is what most early builds actually need first.
The gap
The gap: entities without an explicit access rule default to open
When base44 creates a new entity, it does not require you to set an access rule before the entity is usable, the same pattern that shows up across most AI app builders. An entity created without an explicit rule is readable by anyone who can reach the app's public API key, the same way an un-protected Supabase table is. This exact pattern turned up in our own scan of 66 live AI-built apps, covered in the data report linked below, where apps across several builders, including base44, shipped tables and entities with no access restriction at all.
Check base44 for this yourself right now
About 60 seconds, and it mirrors the check for any AI builder with a public app-level API key.
- 01
Open your live base44 app and open devtools, go to the Network tab, and reload the page.
- 02
Find a request your app makes to fetch data, look at the request headers for an API key or token value.
- 03
Copy that request as curl from devtools, then re-run it in a terminal from a session with no login, no cookies attached.
- 04
If the entity data comes back anyway, that entity has no access rule restricting it, and anyone holding the same key can read it too.
Rather not do this by hand? The free Leak Check runs the anon-key probe and a client bundle scan against your live URL and gives you results in under a minute.
Run the free Leak Check →Where the numbers come from
We scanned 66 live apps built with Lovable, Bolt, Cursor, base44, and Tempo. 41% of the Supabase-backed apps had at least one table anyone could read with the public anon key. The full methodology and findings are in the data report.
Read the data report →