Next Gig

No upcoming gigs

Security

How GigSheet protects your charts and your account

The short version

GigSheet stores your songs and setlists on your device by default. There are no passwords to lose — sign-in uses one-time email links. If you turn on cloud sync (an optional paid feature), your data goes to a private Supabase project that only your authenticated account can read or write. Found a security issue? Email security@gigsheet.app.

Passwordless authentication

GigSheet does not store passwords. Sign-in works through magic links sent to your email by Supabase Auth — you click the link, we verify a one-time token, and you are signed in. There is no password to forget, reuse, or leak. If you lose access to your email, you lose access to the account; back up your library locally via Settings → Backup.

Local-first storage

Your songs, setlists, and imported files live in your browser's local storage — IndexedDB (via Dexie) for structured data and the Origin Private File System (OPFS) for files like PDFs. During normal use, that data stays on the device that wrote it. Nothing is transmitted to any server unless you explicitly export a backup or opt in to cloud sync.

Cloud sync boundaries

Cloud sync is an opt-in paid-tier feature. When enabled, your library is mirrored to a private Supabase project under your authenticated account: song metadata and setlists in Postgres, and large files (PDFs, ChordPro source) in object storage. Row-level security is enabled with a default deny-all policy — only the authenticated server routes acting on your behalf can read or write your data. Sync is off by default. Signed-out users sync nothing.

Backend access pattern

Sync and cloud-storage endpoints never use the anonymous public Supabase key for tenant data. Server routes authenticate the request using your session, then use a server-only service-role key to perform the actual database writes. The service-role key is never shipped to the browser and never exposed in client-side JavaScript. This means a compromised browser session cannot escalate to direct database access.

Responsible disclosure

If you find a vulnerability, please email security@gigsheet.app with a description and reproduction steps. Please do not publicly disclose the issue until we have had a reasonable window to investigate and ship a fix. We will acknowledge your report and keep you posted on remediation.