Privacy and Security
MikroCanvas is local-first by default and stores boards in the browser profile with IndexedDB. Optional published snapshots use the MikroCanvas API and store board JSON in SQLite.
Data movement
Section titled “Data movement”In local mode, board data leaves the browser only when you export files, import files from disk, host the app through infrastructure that observes traffic, or use browser/profile features that sync local data.
In snapshot mode, board data is sent to the configured MikroCanvas API only when the user publishes a snapshot. Published snapshots are open by ID: anyone with a copied board link can load that snapshot into their browser.
Operators can configure an admin token for recovery deletion of remote snapshots.
File handling
Section titled “File handling”Imported JSON is parsed in the browser and normalized into a new local board. SVG and PNG export are generated client-side from the active board.
Threat model
Section titled “Threat model”MikroCanvas local mode is a static browser app. Its security posture depends on the browser, the host serving the files, and the care taken with exported board files.
Snapshot sharing intentionally has no auth gate for opening published snapshots. Treat board IDs as bearer links, use HTTPS in hosted deployments, and place the API behind network controls if links should not be reachable from the public internet.