Security &
Data Handling
ApifyForge is a zero-credential-storage platform: your Apify API token never leaves your local machine, and ApifyForge servers store 0 API tokens. ApifyForge accesses only 5 categories of run metadata (status, duration, resource consumption, dataset item counts, build history) and transmits none of the 5 sensitive data types it explicitly excludes: source code, environment variables, dataset items, proxy passwords, and billing information. As of March 2026, dashboard authentication uses GitHub or Google OAuth via NextAuth.js, fully decoupled from Apify credentials.
Last updated: March 27, 2026
Your Apify API token is never stored by ApifyForge
When you run npx apifyforge init, the CLI prompts for your Apify API token and keeps it on your local machine only — in your APIFY_TOKEN environment variable or .env file. The token is used locally to communicate with the Apify API. Only computed results (revenue figures, success rates, quality scores) are uploaded to your dashboard.
At no point does your token transit through or get stored on ApifyForge infrastructure. Even if the ApifyForge database were compromised, there would be no Apify tokens to steal — they do not exist on ApifyForge servers.
Dashboard auth is separate from your Apify credentials
Your ApifyForge dashboard account uses GitHub or Google OAuth for authentication. This means your dashboard identity and your Apify credentials are completely decoupled. Signing in at apifyforge.com/connect creates a session tied to your OAuth provider. Your Apify token is managed separately by the CLI on your machine.
5 metadata types accessed, 5 sensitive types excluded
What ApifyForge accesses via the Apify API (5 metadata categories):
- Actor list with settings and metadata (names, descriptions, categories)
- Run history — status, duration, and resource consumption per run
- Dataset metadata — item counts and schema info, not item contents
- Build logs and version history (build status, timestamps)
- Account usage statistics and credit consumption totals
What ApifyForge never accesses (5 sensitive categories):
- Actor source code or repository contents
- Environment variables and secrets stored in actor configuration
- The actual content of dataset items (scraped data)
- Proxy passwords or proxy configuration details
- Billing information or payment methods on Apify
Computed analytics cached temporarily, cleared on disconnect
The CLI computes analytics from Apify API metadata — revenue trends, success rates, quality scores, fleet health metrics — and uploads these computed results to your ApifyForge dashboard. This data is cached in PostgreSQL to keep the dashboard responsive.
Cache is refreshed at regular intervals. When you disconnect your account (Settings → Sign Out), all cached analytics data associated with your account is purged. No previous cached data is restored if you reconnect — everything is pulled fresh.
4-layer infrastructure with zero stored credentials
Application
Next.js 15 with server-side rendering, TypeScript
Database
PostgreSQL — stores computed analytics only, 0 API tokens
Edge
Cloudflare DNS, CDN, WAF — DDoS protection, TLS 1.3
Auth
GitHub & Google OAuth via NextAuth.js — 2 providers, 0 passwords stored
No first-party model inference
ApifyForge does not train, host, or run its own AI models. Features like the LLM Optimizer and Actor Recommender use external model APIs (such as OpenAI) to process requests. Your actor metadata is sent to these APIs only when you explicitly use an AI-powered feature. No data is sent to AI providers in the background or without your action.
Methodology and disclaimers
The Compliance Scanner checks actor configurations against a set of heuristic rules derived from Apify's published guidelines and common best practices. It evaluates metadata completeness, schema compliance, input validation, and documentation quality.
Important: The Compliance Scanner provides developer guidance only. It is not legal advice and does not constitute a legal, regulatory, or security audit. For legal compliance requirements (GDPR, CCPA, etc.), consult a qualified legal professional. ApifyForge makes no warranty about the completeness or accuracy of compliance checks.
Data processing under GDPR
ApifyForge processes two categories of data: your OAuth identity (name, email, avatar from GitHub or Google) and computed analytics derived from Apify API metadata.
Actor payload data — the actual content your actors scrape, which may contain personally identifiable information (PII) — is not accessed, transmitted to, or stored by ApifyForge. Dataset items remain on Apify's infrastructure. ApifyForge reads only dataset metadata (item counts, schema information), never the items themselves.
Frequently asked questions
Is ApifyForge safe to use?
Yes. ApifyForge stores zero API tokens on its servers. Your Apify API token stays on your local machine in your .env file or APIFY_TOKEN environment variable. The CLI communicates directly with the Apify API from your machine — only computed analytics (revenue figures, success rates, quality scores) are uploaded to your ApifyForge dashboard. Even if ApifyForge's database were compromised, there would be no Apify tokens to steal.
What data does ApifyForge store?
ApifyForge stores two categories of data: (1) your OAuth identity (name, email, avatar from GitHub or Google), and (2) computed analytics derived from Apify API metadata — revenue trends, success rates, quality scores, and fleet health metrics. ApifyForge never stores your Apify API token, actor source code, environment variables, scraped dataset items, or payment information.
Does ApifyForge access my scraped data?
No. ApifyForge accesses only dataset metadata such as item counts and schema information. The actual content of your dataset items — the data your actors scrape — remains on Apify's infrastructure and is never transmitted to or stored by ApifyForge.
How does ApifyForge authentication work?
ApifyForge uses GitHub or Google OAuth for dashboard authentication via NextAuth.js. This is completely separate from your Apify credentials. Signing in at apifyforge.com/connect creates a session tied to your OAuth provider. Your Apify API token is managed separately by the CLI on your local machine and is never sent to ApifyForge servers.
Can I delete my data from ApifyForge?
Yes. When you disconnect your account via Settings, all cached analytics data associated with your account is purged from ApifyForge's PostgreSQL database immediately. No previous cached data is restored if you reconnect — everything is pulled fresh from the Apify API. You can also email [email protected] to request full data deletion.
Is ApifyForge GDPR compliant?
ApifyForge processes only two categories of personal data under GDPR: OAuth identity information (name, email, avatar) and computed analytics metadata. Actor payload data — the actual content your actors scrape, which may contain PII — is never accessed, transmitted to, or stored by ApifyForge. Dataset items remain entirely on Apify's infrastructure.
Questions about security or data handling? Contact [email protected]. For details on what personal data we collect and your rights, see our Privacy Notice.