An unofficial Progressive Web App (PWA) for GoatCounter analytics. Track your website analytics on the go with a mobile-friendly interface.
- Real-time Analytics: View stats from multiple GoatCounter sites in one place
- Flexible Date Ranges: Support for hourly (1H, 6H, 12H) and daily (1D, 7D, 30D) time periods
- Visual Analytics: Interactive world map showing visitor locations with color-coded intensity
- Detailed Metrics: Track page views, unique visitors, browser stats, and referral sources
- Offline Support: Smart caching keeps your data available even without internet
- PWA Ready: Install on mobile and desktop devices for a native app experience
- Secure: Store your API key locally or compile it into the app
A free version of this site is available. If this gets slammed with routine use, then it may be removed.
- Node.js 18 or higher
- A GoatCounter account with API access
- Clone the repository:
git clone https://github.com/serrodneyrich/shepherd.git
cd shepherd- Install dependencies:
npm install- Run the development server:
npm run dev- Open [http://localhost:3000] in your browser
- Open the app and navigate to Settings
- Enter your GoatCounter API key
- Go to your GoatCounter site → Click @Username (top-right) → Settings → API
- Generate API Key with "Read Sites" and "Read Statistics" permissions only
⚠️ Never use an API key with write permissions
- Add your GoatCounter sites (site code is the subdomain, e.g., "example" from example.goatcounter.com)
- Start viewing your analytics
For self-hosted deployments, you can pre-configure an API key:
- Create a
.env.localfile in the project root:
NEXT_PUBLIC_GOATCOUNTER_API_KEY=your_read_only_api_key_here- Build and deploy your instance
Important:
NEXT_PUBLIC_*variables are embedded in the client-side JavaScript bundle- Anyone can view the value by inspecting your deployed app
- Only use read-only API keys
- Never commit
.env.localto version control (already in .gitignore)
Shepherd implements conservative rate limiting (roughly 2 requests per second) to respect GoatCounter's API limits. The app also caches responses for 5 minutes to reduce unnecessary API calls.
Rate limiting is coordinated across browser tabs to prevent accidental API abuse when multiple tabs are open.
Shepherd is a client-side Progressive Web App (PWA). This means:
- All code runs in your browser
- API calls are made directly from your device to GoatCounter
- There is no backend server processing your requests
Best Practices:
- Use Read-Only API Keys: Create API keys with ONLY "Read Sites" and "Read Statistics" permissions
- Never Share API Keys: Your API key grants access to your analytics data
- Trusted Devices Only: Only enter your API key on devices you control
- Self-Host for Production: For maximum security, fork and deploy your own instance
Security Limitations:
- API keys are stored in browser localStorage (unencrypted)
- Keys are visible in browser DevTools to anyone with device access
- This is inherent to client-side PWA architecture
- No Tracking: Shepherd itself does not collect or track any user data
- No Third-Party Services: No data is sent to third parties (except GoatCounter API)
- Local Storage: All settings and cache are stored locally in your browser
- Offline Capable: Data is cached locally for offline access
If you discover a security vulnerability, please:
- Do not open a public GitHub issue
- Email the maintainer or use GitHub's private security advisory feature
- Provide details about the vulnerability and steps to reproduce
This project is open source and available under the MIT License.
- GoatCounter - The excellent privacy-friendly analytics platform this app is built for
- The open source community for the amazing tools and libraries
- For GoatCounter questions: GoatCounter Help
This is an unofficial third-party application and is not affiliated with or endorsed by GoatCounter. Use at your own risk.