Reference

Data Access & Permissions

ConfigTrace is built for configuration metadata, not customer data. This page explains exactly what ConfigTrace reads from each provider — and what it is architecturally incapable of accessing.

On this page
  1. The metadata-first principle
  2. AWS
  3. Firebase
  4. Supabase
  5. Stripe
  6. GitHub
  7. Cloudflare
  8. Vercel
  9. Shopify
  10. Credential storage and encryption

The metadata-first principle

ConfigTrace is a configuration drift detector, not a data pipeline. It monitors the rules, settings, and policies that control your infrastructure — not the data those settings protect. This distinction is intentional and enforced by the permissions ConfigTrace requests.

ConfigTrace uses read-only APIs. It requests only the permissions it needs to read configuration metadata, and has no write access to any provider.

AWS

Reads
  • EC2 security group rules and inbound/outbound settings
  • IAM policy documents and role attachments
  • Route 53 hosted zones and DNS record sets
  • S3 bucket policies, public access settings, ACLs, encryption config
Never reads
  • S3 object contents or bucket data
  • RDS, DynamoDB, or any database records
  • CloudWatch log event contents
  • Secrets Manager or Parameter Store values
  • Application data of any kind

Firebase

Reads
  • Firestore security rules
  • Firebase Storage security rules
  • Realtime Database rules
  • Project metadata and settings
  • Auth configuration: sign-in providers, authorized domains
  • Hosting configuration
  • Cloud Functions metadata (names, triggers — not code)
Never reads
  • Firestore collection or document contents
  • Storage file contents
  • Firebase Auth user records
  • Cloud Functions source code
  • Secret Manager values
  • Any customer or user data

Supabase

Reads
  • Row-level security (RLS) policy definitions
  • Auth config: OAuth providers, JWT settings, redirect URL allowlist
  • Storage bucket metadata: names, access mode, size limits
  • Edge Function metadata: names, status (not code)
  • Project API and connection settings
Never reads
  • Table row data
  • Storage file contents
  • Auth user records, passwords, or sessions
  • Edge Function source code
  • Service role key values
  • JWT secret values

Stripe

Reads
  • Webhook endpoint URLs, status, and subscribed events
  • Product and price configuration
  • API key metadata: names, created dates (not values)
  • Account settings: business name, branding, support contact
Never reads
  • Card numbers or payment method data
  • Customer records or PII
  • Transaction or payout history
  • Webhook signing secrets
  • Full API key values

GitHub

Reads
  • Branch protection rules and required status checks
  • Repository settings: visibility, default branch, merge settings
  • Webhook URLs, status, and event subscriptions
  • Actions secrets metadata: names only (not values)
  • Actions variables: names and values
  • Deploy keys: titles and access levels
  • Actions permissions settings
Never reads
  • Source code or file contents
  • Commit history or diff content
  • Pull request content
  • Actions secret values
  • User data or emails

Cloudflare

Reads
  • DNS records: A, AAAA, CNAME, MX, TXT, NS, SRV, CAA
  • Per-record TTL and proxy status
Never reads
  • Website traffic or visitor data
  • Cached content or responses
  • Workers script code
  • SSL private keys
  • Account billing or member data

Vercel

Reads
  • Project settings and framework configuration
  • Custom domain names and redirect settings
  • Environment variable names and target environments
  • Deployment protection settings
  • Git integration settings
Never reads
  • Environment variable values
  • Build or runtime logs
  • Serverless function code
  • Edge config or edge middleware values
  • Customer data

Shopify

Reads
  • Shop metadata and operational settings
  • Webhook subscription metadata (target URL, topic, status)
  • Store policy presence and content-hash metadata
  • Installed-app permission scope names and scope risk summary
Never reads
  • Customer records or customer PII
  • Order contents or checkout payloads
  • Payment details or transaction contents
  • Inventory contents
  • Theme files or source code
  • Admin API secret key values
  • Gift card or payment transaction contents

Credential storage and encryption

All credentials you provide to ConfigTrace — API tokens, service account JSON, access keys — are encrypted before being stored. Credentials are never logged, displayed in the UI after saving, or transmitted in plain text. ConfigTrace connects to provider APIs over HTTPS only.

If you ever need to rotate credentials, go to Integrations → open the integration → Edit credentials. You can update credentials without losing your sync history or baseline.