Skip to main content
tinykit is designed for self-hosted deployments where you control the server. This gives you full control over security, but also means you’re responsible for it.

Security Model

Since tinykit is self-hosted (one server = one team), there’s no multi-tenant isolation. All authenticated users can access all projects on that instance.

What’s Protected

LayerProtection
Builder accessPocketbase authentication required for /tinykit
API keysStored server-side in .env, never sent to browser
File operationsScoped to workspace directory
PreviewSandboxed iframe with restricted permissions
DatabasePocketbase with collection-level access rules

Built-in Protections

tinykit includes several security measures out of the box:

Authentication

Pocketbase auth with JWT tokens and automatic refresh

Path Traversal Protection

All file paths validated, ../ attacks blocked

Origin Checking

Cross-origin requests blocked for data APIs

Sandboxed Preview

Preview runs in isolated iframe with allow-scripts allow-same-origin

Server-side Secrets

API keys and credentials never exposed to client

Pocketbase Proxy

Database accessed via same-origin proxy at /_pb/

Production Checklist

Before exposing your tinykit instance to the public:
1

Protect the Builder

The /tinykit path gives full access to your codebase. Add authentication before going public.
Critical: Never expose /tinykit without authentication in production.
2

Use Environment Variables

Never hardcode API keys or secrets. Use .env for configuration.
LLM_API_KEY=sk-...
3

Enable HTTPS

Railway and most platforms provide HTTPS automatically. Never run without it.
4

Set Up Monitoring

Watch for unusual traffic patterns or error spikes.

Scheduling PocketBase Backups

Your PocketBase database (pb_data) contains all your data. Regular backups are essential.

Manual Backups

Access the PocketBase admin at /_pb/_ and use the built-in backup feature under Settings > Backups.

Automated Backups

Create a backup script and schedule it with cron:
# backup.sh
#!/bin/bash
BACKUP_DIR="/path/to/backups"
CONTAINER="tinykit"
DATE=$(date +%Y%m%d_%H%M%S)

# Stop writes temporarily (optional, for consistency)
docker exec $CONTAINER /app/pocketbase/pocketbase backup

# Copy the backup
docker cp $CONTAINER:/app/pocketbase/pb_data/backups/. $BACKUP_DIR/

# Keep only last 7 days
find $BACKUP_DIR -name "*.zip" -mtime +7 -delete
Schedule with cron:
# Run daily at 2am
0 2 * * * /path/to/backup.sh
Test your restore process before you need it. A backup you can’t restore is worthless.

Adding Authentication

To protect the /tinykit route, you have several options:
tinykit uses PocketBase for authentication. Create users in the PocketBase admin (/_pb/_) and they can log in to access the builder.
  • Email/password authentication
  • JWT tokens with automatic refresh
  • Per-user accounts

Reporting Vulnerabilities

Found a security issue? Please report it responsibly:

Report a Vulnerability

Open a private security advisory on GitHub
 We take security seriously and will respond promptly to legitimate reports.