firepanel
Sign inGet started
Docs

How Firepanel works

The architecture in plain terms — Firepanel reads live from your Firebase, encrypts your credentials, and never stores your data.

Firepanel is deliberately simple to reason about. There are really only three ideas: it reads your data live, it encrypts your credentials, and it doesn't store your data. This page explains each.

Firepanel reads live from your Firebase#

When you open a collection, Firepanel doesn't pull from a cache or a copy it made earlier. It uses your service account to call the Firebase Admin SDK at that moment and streams the result to your browser.

That means:

  • What you see is always the current state of your database.
  • An edit you make in Firepanel is written straight back to Firestore.
  • If you revoke access in Firebase, Firepanel stops working instantly — there's no stale copy to fall back on.

Your credentials are encrypted#

Your service account key is the one sensitive thing Firepanel holds. Here's its full lifecycle:

1

You connect a project

You paste the service account JSON into the connect wizard. It travels to our server over TLS.

2

We encrypt before storing

On the server, the JSON is encrypted with AES-256-GCM using a key held in isolated environment configuration — never in the database alongside the data it protects.

3

We decrypt only in memory

When a request needs Firebase access, the credential is decrypted in memory, used to authenticate that one request, and discarded. The plaintext never hits disk.

4

Your browser never sees it

The decrypted key lives only inside our server process during a single request. It is never sent to your browser.

Firepanel doesn't store your data#

This is the part people most want to be sure of: your documents are never copied onto our servers. Firepanel reads them live from your Firebase project and passes them through to your browser. When you close the tab, there's nothing left behind on our side.

The only things Firepanel's own database holds are:

  • Your account info (name, email, avatar from Google sign-in).
  • Your connected projects' encrypted credentials.
  • Metadata like saved views and an audit trail of actions taken in Firepanel.

Note

A short way to put it: Firepanel stores the key to your house, encrypted, and only ever uses it to let you in. It never moves your furniture into its own warehouse. The full breakdown is on the Data security page.

The stack#

For the record, here's where Firepanel runs:

LayerProvider
Application & hostingVercel
Database (accounts, encrypted credentials, audit log)Neon Postgres
Sign-inGoogle OAuth
PaymentsRazorpay
Transactional emailPlunk

Your actual Firebase data never lives in any of these — it stays in your Firebase project.

Next#

See exactly what Firepanel can and can't see in Data security, or what permissions the service account needs in Permissions.