What is Flowpatrol?
Flowpatrol is a security scanner built for apps shipped with AI coding tools like Lovable, Bolt, Cursor, v0, and Claude. It scans your live, deployed app the way an attacker would — checking for API keys sitting in your page source, who can read other users' data, leaky Supabase tables (Row Level Security), login flows that break, and more.
Do I need security expertise to use Flowpatrol?
Not at all. Flowpatrol is built for builders, not security engineers. Every finding comes with a plain-English explanation of the risk and a code fix you can copy-paste directly into your AI coding tool. If your AI built the vulnerability, Flowpatrol helps your AI fix it.
What are the scan modes?
Surface (1 credit) is the quick check — exposed secrets, default settings, leaky Supabase tables (RLS), and screenshots — about 1-3 minutes. Deep (5 credits) is the full audit — it logs in as multiple test users, tries to read other users' data (IDOR), injects nasty inputs (SQL injection, cross-site scripting), and chains bugs together — about 15-30 minutes, with screenshot evidence for every finding.
What platforms and frameworks does Flowpatrol support?
Flowpatrol scans any web application accessible via a URL — SPAs, server-rendered apps, REST APIs, or full-stack apps. It works with any framework (Next.js, React, Vue, etc.) and any backend (Supabase, Firebase, custom APIs). It's especially tuned for patterns common in AI-generated code from Lovable, Bolt, Cursor, v0, and Replit.
How do credits work?
Surface scans cost 1 credit, Deep scans cost 5 credits. The Free plan includes 3 Surface scans per month. Builder ($19/mo) includes 30 credits. Pro ($49/mo) includes 120 credits. Prices are for annual billing — monthly billing is also available. You always know the cost before you scan.
Can I use Flowpatrol inside my code editor?
Yes. Flowpatrol has an MCP (Model Context Protocol) integration that works with Claude Code, Cursor, and Windsurf. Add one line to your MCP config and you can scan for vulnerabilities without leaving your editor.
Can my AI agent call Flowpatrol automatically?
Absolutely. Flowpatrol exposes a REST API, an MCP server, and a CLI — all designed for agent workflows. Your coding agent, CI/CD pipeline, or deployment agent can trigger scans, read structured JSON findings, and apply fixes without any human in the loop. See the Agents page for integration examples.
What if my app requires email verification to sign up?
We handle it. Flowpatrol creates real accounts, receives verification emails, enters OTP codes — just like a real attacker would. No more false sense of security from verification gates.
Is my data safe?
Flowpatrol never accesses your codebase — no repo connection, no GitHub integration, no source code upload. We only interact with your live, deployed URL, the same way any visitor would. All scan data is encrypted at rest and in transit, and we use Row-Level Security to keep every organization's data completely isolated.
Can I cancel or change my plan?
Anytime. Upgrade, downgrade, or cancel — changes take effect at the start of your next billing cycle. No lock-in, no cancellation fees.