Security & privacy

oasdiff reviews your API changes without taking custody of your API. Your OpenAPI specs are encrypted before they reach us, or never uploaded at all. Here is exactly what that means.

Your specs are encrypted before they reach us

On the free CLI, the GitHub Action, and the diff tool, oasdiff computes the comparison and encrypts both specs plus the changelog on your side — on your machine or in your CI — before anything is uploaded. The decryption key travels only in the review link (after the #), which browsers never send to a server. So oasdiff's servers only ever hold ciphertext we cannot read. The same applies to the Pro pull-request review.

Two honest details, so there are no surprises: anyone with the full review link (including the key after the #) can open the review — it is a shareable capability, like an unlisted link. And the page that decrypts in your browser is served by oasdiff, protected by a strict content-security-policy. The full mechanism is documented in how the encrypted review works.

We never store your specs in readable form

The encrypted bundle is stored only long enough to serve the review (free links expire after 7 days; Pro reviews are kept for the life of the pull request). We never write your spec content to our database in a form we can read, and we never use your specs for anything but rendering the review you asked for.

Enterprise: keep specs on your own GitHub

For teams that can't upload spec content at all — even encrypted — oasdiff Enterprise loads each spec live from GitHub at review time, using the reviewer's own access. Nothing is uploaded or stored by oasdiff; spec access strictly follows each reviewer's GitHub permissions. See oasdiff Enterprise.

The GitHub App reads no code

The optional oasdiff GitHub App requests only Pull requests and Commit statuses (read & write) — enough to post the review comment and set the merge-gate check. It does not request the Contents permission, so it cannot read your repository code.

Cookieless analytics, open-source core

We use privacy-friendly, cookieless analytics — no ad networks, no cross-site tracking, no consent banner needed. The oasdiff engine (CLI and GitHub Action) is open source under the Apache 2.0 license, so the detection and the client-side encryption are auditable on GitHub.

For data handling and your rights, see the privacy policy. Security questions or a vendor review? Email info@oasdiff.com.