Skip to main content
Base44 automatically sets up permissions for your data as you build. The easiest way to configure security is to tell the AI chat what you want. Describe who should be able to access, edit, or delete each type of data, and it will set up the right rules for you. If it needs to change existing rules, it will ask for your approval before making any changes.
You are responsible for your app’s security. The AI chat can help set things up, but always review your settings and run a security scan to make sure everything is configured the way you intended.
To make sure everything is set up correctly, run a security scan before you publish. The scan checks your entire app and shows you a clear list of any issues it finds. You can fix them all with a single click, or dig into each one individually.
Managing your app's security in Base44

Using the AI chat to set permissions

You don’t need to configure permissions manually. Just tell the AI chat how your app should work, in plain language, and it will set up the right security rules for you. This works both when you are first building your app and at any point later when your needs change. The AI chat understands the context of your app, so the rules it creates are tailored to your specific data and users. Here are some examples of prompts you can use: 
Only the person who submitted an order should be able to see it.

Admins should have full access to all client details. Regular users should only see their own.

Anyone can browse the product catalog, but only managers can add or update listings.
The AI chat sets up the appropriate rules based on your instructions. You can ask it to update permissions at any time as your app evolves.

Setting your app’s visibility

App visibility controls who can access your app at all. This is separate from data permissions, which control what people can do once they are inside. Set your visibility before publishing so that only the right people can reach your app in the first place. To set your app’s visibility:
  1. Click Dashboard in your app editor.
  2. Click Overview.
  3. Select an option from the App Visibility drop-down:
    • Private: Only people you invite can access the app.
    • Workspace: Anyone in your workspace can access the app.
    • Public: Anyone with the link can access the app.
  4. (Optional) Select the Require login to access checkbox to require users to sign in before using your app.
Choosing who has access to your app
Private apps are available on the Starter plan and above. If you set your app to Private, you need to invite users before they can log in.
Even for public apps, select Require login to access if your app stores personal or user-specific data such as messages, saved records, or account details.

Checking your app’s security

The security scan is the quickest way to check that your app is properly protected before you share it with others. The scan reviews your entire app and flags 3 types of issues: missing or incorrect data permissions, secrets exposed in your frontend code, and backend functions that do not verify who the user is. For each issue it finds, the scan explains what the problem is and gives you a recommended fix you can apply with a single click.

Running a scan

  1. Click Dashboard in your app editor.
  2. Click Security.
  3. Click Run Security Scan.
  4. Review the issues listed under Issues details.
  5. Click Fix All to apply all recommended fixes at once, or expand an individual issue to fix it separately.
Running a security scan on your app
The scan does not apply fixes automatically. Review the recommendations before applying them. For backend function and secret issues, paste the issue into the AI chat in Discuss mode to get step-by-step instructions.

Understanding the scan results

RLS issues

These appear when an entity is missing permission rules or when users have more access than they should. Each issue shows the affected entity, a description of the problem, and a table of recommended rules. Click Fix All to apply the recommendations, or click into the entity to customize permissions manually.

Exposed secrets

These appear when API keys, tokens, or other credentials are found in your frontend code. This is a security risk because anyone who can view your frontend code could access those credentials. To fix an exposed secret, remove it from your frontend code and move the logic to a backend function. Paste the issue into the AI chat in Discuss mode to get step-by-step instructions.

Backend function issues

These appear when a backend function accepts sensitive data without verifying who the user is. For example, a function that returns account details based only on an email address in the request could expose another user’s information if someone changes that email. To fix it, add a check to confirm the user is signed in and that the request is for their own data. Use Discuss mode in the AI chat for guidance.

Customizing permissions manually

If you want to review or fine-tune the permissions on a specific entity, you can do that from the entity’s page in your dashboard. Each entity has Permissions that opens a full view of the rules for that entity, broken down by action: Create, Read, Update, and Delete. This is optional. The AI chat sets up permissions automatically, and the security scan flags anything that needs attention. Manual customization is there when you need more precise control.
If the AI has detected a potential issue with an entity, you will see a recommended fix at the top of the page when you open Permissions. You can apply it directly or customize the rules manually from there.
To customize permissions for an entity:
  1. Click Dashboard in your app editor.
  2. Under Data, click the entity you want to manage.
  3. Click Permissions in the top right.
  4. Select the action tab you want to configure: Create, Read, Update, or Delete.
  5. Choose a rule for each action:
    • No restrictions: Anyone can perform this action.
    • Creator only: Only the user who created a record can perform this action.
    • Entity-user field comparison: Access is granted when a field in the record matches a property of the logged-in user.
    • User property check: Access is granted to users with a specific property, such as a role of admin or manager.
  6. Click Save Rules.
Managing permissions for your data
You can add multiple rules per action by clicking Add Rule. If a user matches any rule, access is granted (rules use OR logic). To remove all rules and make the entity fully public, click Remove All Rules.

Security examples by app type

Not sure how to set up security for your app? Use these common scenarios as a starting point. If you are unsure about your access settings, you can always ask the AI chat to review your setup and suggest the right rules for your app.
Apps used by a small group of trusted people, such as a family shopping list or shared home management tool.
  • App visibility: Private. Invite the people who need access.
  • Require login: Yes.
  • Permissions: For data that everyone shares, no rules are needed. For data that belongs to each person individually, set Creator only on each entity so people can only access their own entries.
Apps that are open to the public but collect information you want to keep private, such as a company homepage or event registration page.
  • App visibility: Public.
  • Require login: No, unless you want to protect specific pages.
  • Permissions: For contact form submissions, restrict Read to admin or staff roles so only your team can view incoming messages.
Apps used by a team or company, such as an HR dashboard, sales tracker, or employee portal.
  • App visibility: Workspace.
  • Require login: Yes.
  • Permissions: Use role-based rules. Restrict Read, Update, and Delete on sensitive data to managers or specific roles. Use broader access for general content like announcements.
Apps where each person logs in and manages their own data, such as an expense tracker, workout log, or personal to-do list.
  • App visibility: Public or Workspace, depending on whether you want open registration or workspace-only access.
  • Require login: Yes.
  • Permissions: Set Creator only on all user-specific entities so each person can only see and edit their own data.
Apps where anyone can view content but only certain people can manage it, such as a blog, resource library, or documentation site.
  • App visibility: Public.
  • Require login: Required for the admin or editor section only.
  • Permissions: Set Read to public so anyone can view content. Set Create, Update, and Delete to admin or editor roles only.
Apps where different companies, schools, or departments each have their own data, such as a multi-tenant SaaS platform or a school management tool.
  • App visibility: Workspace or Private, depending on your setup.
  • Require login: Yes.
  • Permissions: Use Entity-user field comparison to segment data by group, company, or department. Admins or managers in each group can access all data in their group, while regular users only see their own.

FAQs

Click a question below to learn more.
Run the scan before you publish your app for the first time, and again any time you make significant changes, such as adding new data entities, updating permissions, or connecting new integrations. The Security tab will show an out of date warning when your scan results are no longer current, so you know when it is time to run it again.
The AI chat sets up permissions when it creates data entities, based on your app’s context. For apps handling sensitive or user-specific data, it will generally apply rules automatically. You can ask the AI chat to update permissions at any time, or adjust them manually from each entity’s page in your dashboard.
Run a security scan from the Security tab to find and fix issues. Review the recommendations, apply fixes, and then test your app by signing in as different user roles to confirm access is working as expected. You can also describe the problem to the AI chat and ask it to fix it for you.
Yes, changes take effect immediately. Review any changes carefully before applying them.
Yes. Add a custom field (such as business-role) to your User entity and define values like manager or viewer. Then set up User property check rules on that field to give each role the right level of access. You can ask the AI chat to set this up for you.
Field-level security is not currently available. You can only set rules for entire entities, not for individual fields. Use entity-level permissions and backend functions to control data access in the meantime.
Handle all requests to third-party services in backend functions and store API keys using secrets management. This keeps credentials out of your frontend code and away from end users.
All data tables and private apps are encrypted. However, data is not end-to-end encrypted, which means Base44 admins can access your data if needed.
From February 6, 2026, private apps require a paid plan (Starter or above). If you already had private apps before that date, they will continue to work, but you will not be able to switch a private app to public and back to private without upgrading.