Security

Runs on your machines. Nothing goes to our servers except license checks.

DevIntern is a tool you run, not a cloud that runs your code. Your source, your tracker credentials, and your model keys stay on your network, and each credential is sent only to the vendor it belongs to. This page lists exactly where every secret lives and where it goes.

The full inventory

Every credential, where it lives, where it goes

All credentials live in a project-local .devintern-code/.env file on your machine. devintern init adds it to your .gitignore automatically.

Jira credentials

JIRA_EMAIL, JIRA_API_TOKEN

Atlassian's API only

Fetch tasks, move statuses, post summaries

Linear API key

LINEAR_API_KEY

Linear's API only

Fetch and update issues

Trello credentials

TRELLO_API_KEY, TRELLO_API_TOKEN

Trello's API only

Fetch and update cards

Asana / Azure DevOps tokens

provider-specific

Their own APIs only

Fetch and update tasks

GitHub / Bitbucket tokens

GITHUB_TOKEN, BITBUCKET_TOKEN

Your repo host only

Open pull requests, read review comments

AI provider keys

e.g. ANTHROPIC_API_KEY

Your AI provider only

Your coding agent runs on your own contract

Git push credentials

your existing SSH key or credential helper

Your repo host only

Push branches, exactly as you do by hand

DevIntern license key

LICENSE_KEY

DevIntern's license API

The single credential that ever reaches us: an entitlement check

The license key is the only secret that ever flows to DevIntern, and it authorizes nothing outside DevIntern's own services.

By design

What DevIntern's servers never hold

There is no server-side copy of your work to secure, subpoena, or leak, because the architecture never sends it to us in the first place. Security review gets a short answer: the tools run where your code already lives.

  • Your source code, diffs, or repository contents
  • Your tracker credentials (Jira, Linear, Trello, Asana, Azure DevOps)
  • Your GitHub or Bitbucket tokens
  • Your AI provider keys
  • Ticket bodies, review comments, or pull request contents

Filesystem hygiene is built in: credentials are confined to the project-local env file, which is git-ignored on creation.

FAQ

Security questions, answered plainly

What data does DevIntern send to its own servers?

A license check: your license key and enough context to validate the entitlement. That is the complete list. Task content, code, prompts, and credentials never leave your environment.

Where do my credentials physically live?

In a .devintern-code/.env file inside your project directory, on your machine or server. devintern init creates it and adds it to .gitignore automatically so it cannot be committed by accident.

Which model sees my code?

Only the one you configure. DevIntern drives the coding agent you choose, with your own keys, so your code goes to your AI provider under your existing contract and nowhere else.

Does anything run in DevIntern's cloud?

No. All execution, including scheduled runs and the review webhook server, happens on hardware you control: a laptop, a devbox, a VM, or your CI.

Bring it to your security review

Questions this page does not answer? Ask, and we will answer them in writing.