What is Flowpatrol?
Flowpatrol is a security scanner built specifically for apps created with AI coding tools like Lovable, Bolt, Cursor, v0, and Claude. It scans your live, deployed application like a real attacker would — testing for exposed secrets, broken access control, missing Row Level Security, injection vulnerabilities, and more.
Do I need security expertise to use Flowpatrol?
Not at all. Flowpatrol is built for builders, not security engineers. Every finding comes with a plain-English explanation of the risk and a code fix you can copy-paste directly into your AI coding tool. If your AI built the vulnerability, Flowpatrol helps your AI fix it.
What are the three scan modes?
Probe (1 credit) does a surface-level check in about 2 minutes — headers, secrets, fingerprints, exposed paths, and Supabase RLS gaps. Standard (5 credits) takes about 15 minutes, logging in as a test user to check auth flows, IDOR, injection, XSS, and captures screenshot evidence. Deep (8 credits) runs for about 30 minutes with multi-user IDOR testing, chained attack sequences, and aggressive mode.
What platforms and frameworks does Flowpatrol support?
Flowpatrol scans any web application accessible via a URL — SPAs, server-rendered apps, REST APIs, or full-stack apps. It works with any framework (Next.js, React, Vue, etc.) and any backend (Supabase, Firebase, custom APIs). It's especially tuned for patterns common in AI-generated code from Lovable, Bolt, Cursor, v0, and Replit.
How do credits work?
Credits are included with your plan. Each scan costs a fixed number of credits depending on the mode: Probes cost 1, Standard scans cost 5, Deep scans cost 8. The Free plan includes 3 probes per month. Builder ($19/mo) includes 30 credits. Pro ($49/mo) includes 120 credits. Prices are for annual billing — monthly billing is also available. You always know the cost before you scan.
Can I use Flowpatrol inside my code editor?
Yes. Flowpatrol has an MCP (Model Context Protocol) integration that works with Claude Code, Cursor, and Windsurf. Add one line to your MCP config and you can scan for vulnerabilities without leaving your editor.
Can my AI agent call Flowpatrol automatically?
Absolutely. Flowpatrol exposes a REST API, an MCP server, and a CLI — all designed for agent workflows. Your coding agent, CI/CD pipeline, or deployment agent can trigger scans, read structured JSON findings, and apply fixes without any human in the loop. See the Agents page for integration examples.
What if my app requires email verification to sign up?
We handle it. Flowpatrol creates real accounts, receives verification emails, enters OTP codes — just like a real attacker would. No more false sense of security from verification gates.
Is my data safe?
Flowpatrol never accesses your codebase — no repo connection, no GitHub integration, no source code upload. We only interact with your live, deployed URL, the same way any visitor would. All scan data is encrypted at rest and in transit, and we use Row-Level Security to keep every organization's data completely isolated.
Can I cancel or change my plan?
Anytime. Upgrade, downgrade, or cancel — changes take effect at the start of your next billing cycle. No lock-in, no cancellation fees.