SP-API Migration Validator Run free scan

Migration assurance

Security and source handling

The scanner performs static analysis only. It never executes uploaded code, installs its dependencies or calls Amazon. Source is processed ephemerally; source is not retained.

Upload isolation

ZIP uploads are checked for unsafe paths, archive bombs, symlinks, nested archives and encrypted entries. Unsupported and binary files are skipped.

Secrets and personal data

Credential-like values are masked before they are reported. Sample-data validators redact common personal-data fields, and analytics never receives filenames, snippets or tokens. .env files commonly contain credentials; prefer .env.example or redact all secrets before upload. Pasted text runs browser preflight before submit; uploaded files are received into isolated transient processing and scanned server-side before report persistence. Preflight blocks private keys, LWA client secrets, AWS keys, OAuth tokens, database URLs and password assignments before a report is saved.

Report access

Reports use random private access tokens and expire. Deleting a report removes its stored findings and metadata; uploaded source itself is not retained.

Retention contract

Source is not retained and is discarded when processing completes. The legacy sourceRetentionHours=24 value is only a hard cleanup timeout for exceptional transient buffers. Report findings and metadata are retained for the access period attached to the purchased product: 30 days for Single, 90 days for Bundle and 180 days for each Agency beta project after its first paid scan or unlock. Agency credits expire 180 days after purchase, no new project may be created after credit expiration, and Agency stored report data expires no later than 365 days after pack purchase. Free preview report access is 30 days.

Frequently asked questions

Do you execute uploaded code?

No. Analysis is static; dependencies are not installed and source code is never executed.

Do I provide Amazon credentials?

No. The scanner does not call Amazon and does not require Seller Central credentials.

Official sources

Recommended next action

Last reviewed: 2026-07-02.

Open the interactive scanner: /app#/security