Do you store my API token?

Yes, your API token is stored in our database, but it is encrypted at rest using AES-256 encryption — the same encryption standard used by banks, government agencies, and major cloud providers. The token is never stored in plaintext, never logged in application logs, never shared with third parties, and never transmitted anywhere except to the Apify API over HTTPS. Here is how the security architecture works. When you enter your API token in ApifyForge Settings, it is encrypted using AES-256 before being written to the database. The encryption key is stored separately from the database in a secure key management system, meaning that even if someone gained access to the database directly, they could not decrypt your token without the separate encryption key. When ApifyForge needs to make an Apify API call on your behalf, the token is decrypted in memory, used for the API request, and never written to disk in decrypted form. You maintain full control over your token at all times. If you want to revoke ApifyForge's access, you have two options. First, you can go to ApifyForge Settings and click Disconnect, which deletes the encrypted token from our database immediately. Second, you can go to your Apify account at console.apify.com/account/integrations and delete the token directly, which invalidates it everywhere instantly — ApifyForge will no longer be able to make API calls with that token. As a security best practice, we recommend several measures. Create a dedicated API token specifically for ApifyForge rather than reusing tokens from other integrations. Rotate your tokens periodically — every 90 days is a reasonable cadence. If you suspect any security issue, revoke the token immediately from your Apify account settings and generate a new one. Monitor your Apify account's API call logs for any unexpected activity. For more details on the security boundaries, see the related question about what data ApifyForge can access. To learn how to disconnect and remove your token entirely, see the question about how to disconnect your account.