Security at CodeLantern
Last reviewed: June 2026
Security and data minimization are built into how CodeLantern works, not bolted on. The platform is designed around three commitments: we store as little of your data as possible, we never hold more access than you’ve granted, and the access we do hold is short-lived, scoped, and encrypted. This page describes the specific measures behind those commitments.
The platform in brief
CodeLantern is a portal (an admin dashboard for your team and integrations), an MCP server (a stateless web service that carries out actions against the source-control and project-management platforms you connect), and a GitHub App. When your team runs CodeLantern skills as cloud agents, the work executes in your own GitHub Actions environment, not on our servers. Access to the platform is currently invite-gated during early availability.
Authentication & access
How your tools authenticate
CodeLantern never asks you to store its credentials — or any provider’s — for it to use: no GitHub tokens, app private keys, or OAuth secrets are ever handed to us. How a session proves its identity depends on where it runs:
- Cloud agents (GitHub Actions). No CodeLantern secret is stored in your repository. Each run proves it belongs to your repo with a GitHub-signed OIDC token and exchanges it for a short-lived, organization-scoped session token — valid only for that environment, and only while the GitHub App is installed.
- Interactive use (the plugin, locally). Authenticates over OAuth in the browser. There’s no key to copy, paste, or store.
- Headless environments (other CI, containers). Where a browser-based flow isn’t possible, you can create a revocable API key — user- or organization-scoped — as an escape hatch. It’s not the primary or recommended way to authenticate with us.
When you do create an API key:
- It’s shown once, at creation. We store only a bcrypt hash and cannot recover it afterward.
- Revoking it takes effect immediately.
GitHub access
CodeLantern never holds a long-lived token to your repositories. On each request, our servers mint a short-lived GitHub App installation token (scoped to the repositories you authorized at install time), use it for that single request, and discard it — tokens are not cached or persisted.
The GitHub App requests only the permissions it needs, and you can see exactly why each one is there:
| Permission | Why we need it |
|---|---|
| Issues: write | Create, update, search, and comment on issues |
| Pull requests: write | List, create, update, and comment on pull requests |
| Contents: write | Lets the GitHub App create pull requests and mark drafts ready for review — GitHub ties the pull-request lifecycle to the Contents permission, not Pull requests alone — and lets it dispatch cloud-agent runs into your GitHub Actions environment (repository_dispatch) |
| Organization projects: write | Move and update items on your project boards |
| Metadata: read | Basic repository information (GitHub’s mandatory baseline for all Apps) |
When a team member connects their own GitHub or Linear account so actions are attributed to them, those OAuth tokens are encrypted at rest (see Encryption) and refreshed automatically. If you revoke the App’s authorization on GitHub, we honor the revocation webhook and mark the stored tokens revoked.
Commands & webhooks
- Every incoming webhook is verified with an HMAC-SHA256 signature using a timing-safe comparison before any processing happens.
- Only repository owners, members, and collaborators can trigger CodeLantern commands — never outside contributors. The author’s repository association is checked on every command.
- Uninstalling the GitHub App is detected via webhook and the integration is removed on our side; binding an installation to a CodeLantern organization requires proof that the signed-in user actually holds that installation on GitHub.
Portal sign-in
- Sign-in uses GitHub OAuth or an emailed magic link that expires if unused. We never store passwords— there is no password database to breach.
- Sessions use the PKCE flow with secure, HTTP-only cookies, and are refreshed on every request.
Encryption
- OAuth tokens and integration credentials are encrypted at rest with AES-256-GCM, with support for key rotation designed in.
- All data in transit is protected with TLS; our endpoints are HTTPS-only. API keys travel in the Authorization header, never in URLs or query strings.
Who can access your data
We keep the access surface deliberately small:
- Production access (hosting and database) is limited to a small number of authorized engineers, for operational support purposes only.
- Two-factor authentication is enforced on our GitHub organization, hosting, and database accounts.
- CodeLantern staff cannot see your source code: the platform never reads your repository contents directly; data fetched on your behalf — including issue, pull request, and diff content — passes through and is returned to your tool, not retained. The only customer content we hold is what your team explicitly saves to its knowledge base through our skills — we store those entries as your team writes them.
What we store — and what we don’t
We store organization and account metadata, hashed API keys, integration metadata and encrypted tokens, workflow metadata (repository names, issue numbers, workflow states), usage analytics, and knowledge-base entries your team saves. The full inventory, grouped by how it arises, is in our Privacy Policy.
We do not store your source code, diffs, or the contents of your issues and pull requests. That data passes through our service to fulfill your request and is returned to you — not retained.
Platform data is retained for as long as your organization exists. Deleting your organization (admin-only, with typed confirmation) removes all of its data in a single hard cascade across every org-scoped table — there is no soft-delete and no recovery, and the organization’s API keys stop working immediately. You remain responsible for revoking the GitHub App installation and any Linear grants on those platforms; we link you there directly from the delete confirmation.
Data residency
Persistent data is stored in a Canadian region (AWS ca-central-1, via Supabase). GitHub and Linear data transits our compute layer (Vercel), which may run outside Canada, in-flight only — it is not persisted there.
Infrastructure & service providers
We don’t run our own servers; the platform is built on a small set of providers that maintain industry-recognized certifications:
| Provider | Role | Certifications |
|---|---|---|
| Vercel | Application hosting | SOC 2 Type II, ISO 27001:2022 |
| Supabase | Database (Canadian region) | SOC 2 Type II |
| Resend | Transactional email | SOC 2 Type II |
Our database is backed up automatically every day by Supabase.
GitHub and Linear are the source-control and project-management platforms your organization chooses to connect, under your own accounts. We make API requests to them only on your instructions, scoped to the access you authorize — so we do not consider them sub-processors.
Secure development
- Every change is reviewed via pull request before it reaches production; nothing merges without review.
- Automated tests run in CI on every pull request.
- Dependencies are monitored for known vulnerabilities with automated alerts.
Incident response
If a security incident affects your data, our engineering leadership responds directly, and we commit to notifying affected customers without undue delay, consistent with our obligations under Canadian privacy law (PIPEDA).
Compliance
CodeLantern is a Canadian company, and our practices align with PIPEDA and CASL. We do not currently hold formal certifications such as SOC 2 or ISO 27001; we’ll update this page as our compliance program matures.
Reporting a vulnerability
Found a security issue? Email security@codelantern.com. We appreciate responsible disclosure and will work with you to investigate and resolve verified reports.
Related
This page was last reviewed in June 2026.