When you connect a service to dev-views, you are giving it read access to something real — your deployment history, your database metrics, your billing data. That is not a small thing. This post explains exactly what happens to those credentials.
Read-only scopes only
When connecting via OAuth, dev-views requests the minimum read scopes the service supports. For GitHub, that means read access to repository metadata and deployment status — not the ability to push code, modify settings, or access private content beyond what you explicitly share. For Stripe, it means read access to payment data — not the ability to issue refunds or modify subscriptions.
For services that use API keys instead of OAuth, the documentation clearly states which specific permissions are needed. You create a key with exactly those permissions — no more.
Storage and encryption
Credentials are stored in Supabase with AES-256 encryption at rest. The encryption key is managed separately from the database — a compromised database row does not expose the credential. Keys are never written to logs, error traces, or analytics events. If you disconnect a service, the credential is deleted immediately.
What we never do
dev-views does not sell data, does not share credentials with third parties, and does not use your service data to train models or improve anything beyond your own dashboard. There is no analytics on the data you connect — only on product usage at a session level.
The architecture is intentionally simple: dev-views is a proxy between your browser and the services you already trust. It does not store metrics, deployment logs, or database snapshots. Every load fetches fresh data from the source and discards it when you close the session.
Revoking access
You can disconnect any service at any time from the settings page. Disconnecting removes the stored credential immediately. Because dev-views uses read-only scopes, you can also revoke access directly from the third-party service's settings — the OAuth grant or API key — and dev-views will simply stop receiving data for that service.
If you have questions about how a specific integration handles credentials, reach out directly.