Security
Your data is protected
A breakdown of how SktchRef AI handles secrets, payments, and user data.
API keys never touch the browser
All third-party secrets — Stripe, AI provider keys, and database service keys — live exclusively in server environment variables. They are read inside server functions and never bundled into frontend code.
Server-side AI requests
When you generate references, your request hits our server first. The server adds the AI key, calls the model, and returns only the result. The key never leaves the server.
Database protected by Row Level Security
Your subscription, saved boards, and profile data are stored with database-level RLS policies. Even with the public API key, no user can read or modify another user's records.
Payments handled by Stripe
Card numbers and billing details are entered directly on Stripe's hosted checkout — they never pass through SktchRef AI servers. We only store your subscription status.
What's intentionally public
The Supabase publishable (anon) key in the frontend is designed to be public, like Stripe's pk_live_… key. Access is gated by RLS, not by hiding the key.
Report a vulnerability
Found something that looks wrong? Please email security@sktchref.ai before disclosing publicly.
We will never email you asking for your password, payment details, or API keys. All account changes happen inside the app.
Last reviewed: May 2026