When an app asks for your API key, what happens to it? This question matters, especially for PostHog keys that grant access to your product analytics data.
I designed HogWatch with your security and privacy as a primary concern. Here's what that means in practice.
Your Analytics Data Is Valuable
Your PostHog API key grants access to:
- All your analytics events
- Dashboard configurations
- User activity data
- Product usage patterns
- Potentially sensitive behavioral data
For many companies, this data reveals business metrics, user behavior, and product strategy you wouldn't want competitors or bad actors to see. The key that unlocks this data deserves serious protection.
What HogWatch Promises
Your Credentials Never Leave Your Device
When you add a PostHog project to HogWatch, your API key is stored securely on your device using industry-standard secure storage. It stays there—period.
There's no account to create. No sign-up with your email. No cloud sync of your credentials. Your API key exists only on your iPhone.
No Middleman Server
Many mobile apps that connect to third-party services route everything through their own backend servers. Your credentials go to their server first, which then calls the API on your behalf.
HogWatch doesn't work that way. When you request data, HogWatch connects directly to PostHog's API. Your credentials travel from your device to PostHog's servers—nowhere else.
This means:
- I never see your API key. It never touches Flowstate Industries infrastructure.
- Nothing to leak. I can't accidentally expose credentials I never had.
- No single point of failure. If my website went offline, HogWatch would keep working.
- No data logging. Your analytics requests aren't passing through my servers where they could be logged.
Your Data Goes Directly to PostHog
Every API request follows a simple path:
Your device → PostHog's servers → Your device
That's it. No intermediaries, no proxies, no analytics about your analytics. You're using PostHog's API exactly as PostHog intended—just from a mobile-optimized interface.
No Data Collection by Flowstate
HogWatch doesn't collect:
- Your PostHog credentials
- Your analytics data
- Your usage patterns within PostHog
- Any personally identifiable information
The app is a window to your own PostHog data. I built the window; I don't look through it.
Why This Architecture Matters
When evaluating any tool that handles your credentials, consider:
Who has access to your credentials? With HogWatch, only you and PostHog. There's no third party in the chain.
What happens if the vendor is compromised? If Flowstate Industries were somehow breached, attackers would find no API keys—because we never had them.
What happens if the vendor disappears? HogWatch connects directly to PostHog. If Flowstate stopped existing tomorrow, the app would continue working until PostHog changes their API.
This direct-connection architecture eliminates entire categories of security concerns.
Practical Tips for API Key Security
Beyond choosing tools wisely, here are practices for keeping your PostHog access secure:
Use read-only keys when possible. PostHog allows creating API keys with limited permissions. For mobile viewing, you don't need write access. A read-only key limits potential damage if anything ever went wrong.
Rotate keys periodically. If you ever suspect a problem, generate a new API key in PostHog and update HogWatch. This takes about a minute.
Protect your device. Use a strong passcode or biometric lock. The security of any locally-stored credential depends on your device remaining secure.
Keep your device updated. Security improvements ship with iOS updates. Staying current means staying protected.
The Bottom Line
Your analytics data is valuable. The credentials that grant access to it deserve proper protection.
HogWatch protects your credentials by:
- Storing them securely on your device only
- Never transmitting them to our servers
- Connecting directly to PostHog with no middleman
- Collecting no data about you or your analytics
Check your PostHog analytics from your phone without wondering who else might have access to your credentials.
Download HogWatch from the App Store and try it with confidence.
HogWatch is an independent app and is not affiliated with or endorsed by PostHog Inc.