πŸ› Gotcha. Settings
Open dashboard β†—

πŸ”‘ About your saved keys

API keys and tokens are stored in this browser profile's local extension storage (chrome.storage.local). They're never echoed back into this page and never leave your machine except in the API calls to the tracker or LLM you configure. They are not encrypted at rest β€” Chrome has no OS keychain an extension can use, so any encryption key would have to sit in the same profile. For at-rest protection, rely on full-disk encryption (FileVault / BitLocker) and a locked OS user account.

Linear MVP

Personal API key (Settings β†’ API) and the target team id.

Jira

Atlassian Cloud site, account email, API token, and project key.

GitHub

Fine-grained PAT with Issues: write, and the target repository.

Slack

An Incoming Webhook URL. "Test connection" posts a one-line test message to the channel.

AI assistant bring your own key

Optional. On the review screen you can ask an LLM to summarise the bug and suggest debugging steps. Gotcha uses your own API key (no Gotcha server, no added cost) and the report is always redacted before it is sent. Works with OpenAI, Anthropic, and Google Gemini.

Capture & replay

Instant Replay keeps a rolling local buffer of the last 2 minutes on the page (held in memory only, never sent anywhere) so you can file a bug β€” with a watchable replay β€” after it happens. Off by default.

Privacy & capture rules

Redaction (Authorization headers, cookies, emails, card numbers, JWTs, password/secret fields, secret query params, the DOM snapshot) is on by default on every report and toggled per-report on the review screen.