big-agi/docs/help-data-ownership.md

Big-AGI Data Ownership Guide

Big-AGI is a client-first web application, which means it prioritizes speed and data ownership compared to cloud apps. Your API keys, chat history, and settings live in your browser's local storage, not on cloud servers.

You can use Big-AGI in two ways:

1. Run it yourself (open-source)
2. Use big-agi.com (hosted service)

This guide explains how the open-source version handles your data. You can verify everything in the source code.

Client-Side Storage

Within Big-AGI almost all chat/keys data is handled client-side in your browser using two standard browser storage mechanisms:

• Local Storage: API keys, settings, and configurations (learn more)
• IndexedDB: Chat history and larger files (learn more)

The Big-AGI backend mainly passes requests to AI services (OpenAI, Anthropic, etc.). It doesn't store your data, except for the chat-sharing function if used.

You can see your data in your browser's local storage and IndexedDB - try it yourself:

1. In Chrome: Open DevTools (press F12 on Windows, ⌘ + ⌥ + I on Mac)
2. Click 'Application' > 'Local Storage'
3. See your settings and API keys

Sync for Authenticated Users

Users with accounts on big-agi.com who opt into Sync (a Pro feature) have their entity data - such as conversations and personas - replicated to the server for multi-device access. Server-side data is isolated per-user using Row Level Security (RLS), ensuring that no other user can access your synced data. Sync is entirely optional; without it, all data remains local to your browser.

What This Means For You

Storing data in your browser means:

• Your data stays on one device/browser only
• Clearing browser data erases your chats - make backups
• Anyone using your browser can see your chats and keys
• Running your own server needs technical skills

Local Device Identifier

Big-AGI generates a device identifier that combines timestamp and random components, stored only on your device. This identifier:

• Is used only for the optional sync functionality between your devices
• Helps maintain data consistency when using Big-AGI across multiple devices
• Remains completely local unless you explicitly enable sync
• Is not used for tracking, analytics, or telemetry
• Can be deleted anytime by clearing local storage
• Is fully transparent - see the implementation in src/common/stores/store-client.ts

How Data Flows

AI interactions in Big-AGI, such as chats, AI titles, text to speech, browsing, flow through three components:

1. Browser (client/installed App) - Stores your keys & data locally
2. Backend (routing server) - Passes requests to AI services
3. AI Services - Where the actual AI processing happens

Self-Deployed Version: Your Infrastructure

You run the server. Your data only leaves when making AI requests. The keys and chats are under your control and pass through your code, and are sent to the upstream AI services on a per-request basis.

Web Version: Using big-agi.com

Your data passes through the hosted Big-AGI edge network to reach AI services. The keys and chats pass through Big-AGI's edge network to reach the AI services on a per-request basis, and then are send to the upstream AI services.

Direct Connection (Browser → AI Service)

Most AI services offer a Direct Connection toggle (under a service's Advanced settings). When enabled, the browser calls the AI provider's API directly, skipping the Big-AGI server entirely.

Benefits:

• No 4.5 MB upload limit - the Vercel body-size cap does not apply, so larger attachments and long prompts go through.
• No 300-second timeout - the Vercel function timeout does not apply, so long-running generations keep streaming.
• More privacy - connection metadata (IP, timestamp, edge region, Vercel telemetry) is not observable by the Big-AGI edge server.

Tradeoff:

• Slightly more downlink bandwidth: when traffic passes through the Big-AGI edge, repetitive streaming frames are compacted; direct streams arrive verbatim from the provider.

Availability requires both:

1. The API key is set in your browser (client-side), not via server environment variables. Server-key deployments cannot use Direct Connection because the browser has no credential to send.
2. The AI service allows CORS (browser-origin requests). Most major providers do; Big-AGI sets any extra headers they require.

Direct Connection is a net win on speed, limits, and privacy whenever the provider permits it.

Security Best Practices

Basic Security:

• Never share API keys
• Don't use shared computers
• Use private browsing for one-off sessions
• Use trusted networks
• Back up your data

When Running Your Own Server:

• Use environment variables for API keys
• Run on trusted infrastructure
• Keep your installation updated

TL;DR

Your API keys and chats stay in your browser. The server only passes requests to AI services.

Use big-agi.com for convenience, or run it yourself for full control.

Need help? Join our Discord or open a GitHub issue.