Flowpatrol Documentation
Security testing for AI-built apps. Catch vulnerabilities before they ship.
What is Flowpatrol?
Flowpatrol is a security testing tool for apps built with AI coding assistants like Cursor, Lovable, Bolt, v0, and Replit.
Unlike code scanners that read your source files looking for patterns, Flowpatrol tests your running application — just like a real attacker would. It visits your pages, logs in as test users, calls your APIs, and tries to access data it shouldn't be able to reach.
You can run scans from the dashboard or directly from your AI editor via MCP.
Quick Start
Run your first scan in under a minute
Running Scans
Probes, full scans, and scan modes
Understanding Reports
Read findings and use fix suggestions
Domain Verification
Unlock full scans on production
MCP Integration
Security checks in your AI editor
Fixing Vulnerabilities
Remediation guides for common issues
Why test the running app?
Most security tools only scan source code. They look for known-bad patterns — like SQL concatenation or missing input validation — and flag them. That's useful, but it misses an entire class of bugs that only show up when the app is actually running:
- Broken access control — can user A see user B's data by changing an ID in the URL?
- Auth bypass — can someone skip the login flow entirely and hit protected pages?
- Business logic bugs — can a user tamper with prices, skip payment, or make themselves an admin?
- Supabase RLS gaps — are your database tables actually protected, or can anyone query them?
These are the bugs that get apps hacked in practice. You can only find them by testing the live application — which is exactly what Flowpatrol does.