Learn
Security

Bolt App Security Checklist

Before deploying your Bolt app, verify: all secrets stored in Project Settings (not code), native authentication enabled, Bolt V2 security audit reviewed and issues fixed, database access controls configured, and error messages not leaking system details.

Why this matters

Bolt V2 added security features like native auth, a security audit, and secure secrets management. But these features need to be actively used — they do not secure your app automatically.

What's at stake

A Bolt app deployed with exposed API keys or missing authentication allows anyone to abuse your third-party services, access user data, or exploit unprotected routes.

Your checklist.

All secrets are stored in Bolt V2 Project Settings

Critical

Add API keys and credentials through Project Settings, not in code files. Access them through Edge Functions to keep them server-side only.

Native authentication is enabled or external auth is integrated

Critical

Bolt V2 provides native email/password auth with email verification and leaked password detection. Enable it or integrate an external provider like Supabase Auth or Auth0.

Security audit has been reviewed and all issues fixed

Critical

Run the Bolt V2 security audit. It flags missing password checks, unprotected routes, and other vulnerabilities. Fix all flagged issues before deploying.

Database access is properly restricted

Important

If using Supabase or another external database, enable RLS and configure access policies. If using Bolt Cloud database, verify access controls are set.

Frontend bundle does not contain secret keys

Important

Open your deployed app in a browser, press F12, go to Sources, and search for your API key strings. If they appear, your secrets are exposed and need to be moved to Edge Functions.

Error messages do not expose system details

Recommended

Verify your app shows generic error messages. Stack traces, database errors, and file paths visible to users help attackers understand your system.

Comprehensive security verification for Bolt-built apps

  • Automated security checks covering Bolt-specific vulnerabilities
  • API key exposure detection in deployed frontend code
  • Public security badge showing your app is verified
Get started with BWORLDS

Keep learning.

Related topics

is my bolt app securecan someone hack my bolt apphow to hide api keys in boltwhat security do i need before launching

Frequently asked questions.

The audit catches common issues like missing password checks and unprotected routes, but it may not detect all business logic flaws or complex vulnerabilities. Use it as a starting point, then manually verify sensitive areas.

Native auth is sufficient for most apps — it includes email/password, verification, and leaked password detection. Use an external provider if you need OAuth, social logins, or MFA.

Run the checklist now. Check your frontend bundle for exposed keys, verify database access controls, and run the Bolt V2 security audit. If you find exposed secrets, rotate them immediately.