Last updated: June 20, 2026
Brevi is designed so sensitive server secrets stay on the backend. The Chrome extension only uses public configuration and user session tokens.
Authentication
Brevi uses Supabase email one-time-code authentication. Backend requests verify Supabase access tokens before trusting user identity.
Payments
Checkout is created server-side. Lemon Squeezy webhook events are verified with a signing secret before credits are granted.
Reporting security issues
Email getbrevi@gmail.com with a clear description and reproduction steps.