Vibe Coded Apps lets you connect the internal apps your team builds on platforms like Lovable and Base44 to Torii, so you can see who uses each app, keep access in check, and sync users automatically. No manual integration work is needed: Torii walks you through adding a secure, read-only users API to your app, then takes over the syncing.

What you can do

• See every internal app your team has vibe-coded, in one place.
• View who has access to each app and how many users it has.
• Keep user lists in sync automatically, the same way Torii syncs any other integration.
• Govern access: each connected app becomes a regular Torii app, so it works with your existing offboarding, access reviews, and reports.

Before you start

• Your org has the AI Module enabled.
• You can edit the app on its building platform (for example, you can open its project chat in Lovable or Base44).
• The app is published and has a public URL. Preview links won't work, the API only goes live once you publish.
• You have the Integrations: write permission in Torii.

Supported platforms

Vibe Coded Apps has guided setup for Lovable and Base44, and an Another platform option that works with any tool that can add an API to your app (for example v0, Bolt, or Replit). The flow is the same for all of them, the only difference is where the users API ends up being served.

How it works

Torii doesn't read your app's database directly. Instead, the connect wizard gives you a ready-made prompt to paste into your app's AI chat. That prompt asks the app to expose a read-only endpoint that lists the app's users in the standard SCIM 2.0 shape, protected by an API key that Torii generates. Once the endpoint is live, Torii calls it on a schedule to keep the user list current. The endpoint is read-only, it never writes to or changes your app.

Connect an app

1. Open Vibe Coded Apps. In Torii, go to AI in the left navigation and open Vibe Coded (or open the Vibe Coded Apps card on the AI Integrations page). Click Connect Vibe Coded App.
2. Pick the platform. Choose the platform your team built the app on, Lovable, Base44, or Another platform.
3. Enter the app details. Give the app a name (how it will appear in Torii, it doesn't need to match the name on the building platform) and paste its published app URL.
4. Set up the users API. Torii shows a prompt tailored to your app. Copy it and paste it into your project's chat on the building platform. The platform adds a secure, read-only users API to your app. When it's done, publish your app so the new endpoint goes live, the platform then reports the endpoint's URL.
5. Confirm the users API URL. Torii pre-fills the URL it expects (for Lovable and Base44 this is the /functions/scimUsers path). If your app reported a different URL, paste it here so Torii calls the right place. You can also override the API key on this step if your app already uses one of its own.
6. Connect. Click I've pasted & published, connect. Torii tests the endpoint, and on success the app is connected and its users start syncing. You'll see how many users were found in the connection test.

Manage connected apps

Each connected app appears as a row on the Vibe Coded Apps page with its name, the platform it was Built with, its Users count, the Last sync time, and a Health badge (Healthy, Syncing, or Sync error). Hover a row to reveal its actions:

• Sync now — trigger an immediate sync. This becomes available after the first sync completes.
• Update API key — rotate the API key Torii uses to call the app. Update it in your app first, then set the new value here.
• Remove integration — stop Torii from syncing the app's users. This removes the integration only, it does not delete the app from Torii. You can delete or hide the app later from its app page.

The users API Torii adds (for developers)

The prompt asks your app to expose a GET endpoint that follows the SCIM 2.0 list convention. Platforms that serve backend functions under a fixed namespace (Lovable, Base44) create a function named scimUsers, reachable at /functions/scimUsers. The endpoint:

• Authenticates with a Bearer API key (Authorization: Bearer <key>) that Torii generates, you can rotate it later from Torii.
• Returns JSON in SCIM list shape: { "Resources": [ { "userName": "<email>", "emails": [ { "value": "<email>", "primary": true } ], "name": { "givenName": "<first>", "familyName": "<last>" }, "active": true, "role": "<role>" } ] }. userName is the user's email; name and role are included when the app has them.
• Uses active: true for active users and active: false for deactivated ones, Torii uses this to mark each user as active or removed.
• Is strictly read-only, no writes, no mutations, and no new data collection.

Troubleshooting

• "This looks like a preview link." Publish the app and paste its published URL, not a preview/editor URL.
• The connection test failed. Make sure the app is published and the users API is live, then click Test again. Use Advanced on the failure screen to correct the endpoint URL or API key, then Save & test. Show full error reveals the raw response if you need to share it with support.
• No users were returned. Torii won't connect an endpoint that returns zero users. Confirm the app actually has users and that the endpoint returns them in the SCIM shape above.
• The endpoint is at a different path. Some platforms serve the function at their own path. Paste the exact URL the platform reported into the Users API URL field.
• The API key doesn't match. If your app already uses its own key, set that key on the setup step (or override it on the failure screen) instead of the generated one.

Privacy and security

The endpoint Torii adds is read-only and only returns the user list, it never writes to your app or collects new data. The API key is held as a secret in your app and is checked on every request, and you can rotate it from Torii at any time using Update API key.