Credentials & security

Dora is a local desktop app: your data and credentials stay on your machine and go directly to your databases and chosen providers. There is no Dora server in the middle.

Connection credentials

Saved connections are stored in a local SQLite database in your app data directory. Connection passwords are not persisted in plaintext — for a saved connection you re-enter the password when needed rather than having it written to disk unprotected.

AI provider keys

API keys for the AI assistant are encrypted at rest with AES-256-GCM. The master encryption key is generated on first run and stored in your operating system keychain:

• macOS — Keychain,
• Linux — Secret Service (gnome-keyring / libsecret),
• Windows — Credential Manager.

It is never written to disk in plaintext. If no OS keychain is available, Dora falls back to a local key file so the app still works, but the keychain is preferred. You can also supply keys via environment variables instead of saving them.

Private-network databases

To reach a database that is not exposed to the internet, use an SSH tunnel. Dora authenticates with a private key file, a password, or your SSH agent, opens the tunnel before connecting, and closes it on disconnect — your database stays unexposed.

Cloud provider tokens

Account integrations (Supabase, Neon, Vercel, PlanetScale, Xata, Cloudflare, Turso) store the provider token in the same secure storage and use it only to list your databases and build connections.