Security &
Data Handling

Two flows: encrypted-at-rest in the browser, or local-only via CLI

Browser flow (default).You paste a scoped Apify API token into Settings → Apify API Token. The token is encrypted with AES-256-GCM before it touches the database, using a server-held key derived from a 32-byte TOKEN_ENCRYPTION_KEY environment variable. Each ciphertext carries its own 12-byte IV and GCM authentication tag — tampering invalidates the record. The token is decrypted in memory only when the dashboard needs to call the Apify API on your behalf. Click Delete token in Settings to clear it from the database immediately.

CLI flow (alternative). If you would rather not store a token on ApifyForge servers at all, run npx apifyforge run <tool>. The CLI reads your token from APIFY_TOKEN or .env on your machine, talks to the Apify API directly, and uploads only computed analytics to your dashboard. The token never reaches ApifyForge servers.

Regardless of flow, you can revoke the token in Apify Console → Integrations at any time, which neutralises every copy of it everywhere. Create a dedicated token for ApifyForge rather than reusing your primary one so you can revoke it independently.

Dashboard auth is separate from your Apify credentials

ApifyForge dashboard authentication uses GitHub or Google OAuth 2.0 (as defined in RFC 6749) via NextAuth.js. This means your dashboard identity and your Apify credentials are completely decoupled — 2 separate credential systems with 0 overlap. Signing in at apifyforge.com/connect creates a session tied only to your OAuth provider. Your Apify API token is a separate credential you supply later, either via the browser flow (stored AES-256-GCM-encrypted) or via the CLI flow (kept on your machine).

5 metadata types accessed, 5 sensitive types excluded

ApifyForge follows the data minimization principle defined in GDPR Article 5(1)(c): it accesses only the metadata required for dashboard analytics. The table below shows exactly what ApifyForge reads from the Apify API v2 and what it never touches.

Computed analytics cached temporarily, cleared on disconnect

ApifyForge computes analytics from Apify API metadata — revenue trends, success rates, quality scores, fleet health metrics — and caches the results in PostgreSQL so the dashboard renders instantly. This amounts to approximately 2-5 KB of metadata per connected account on top of your AES-256-GCM-encrypted token if you used the browser flow.

Cache is refreshed at regular intervals. When you disconnect your account (Settings → Disconnect), both the cached analytics and the encrypted token are purged from PostgreSQL immediately. No previous cached data is restored if you reconnect — everything is pulled fresh from the Apify API.

4-layer infrastructure with envelope-encrypted credentials

No first-party model inference

ApifyForge does not train, host, or run its own AI models. Features like the LLM Optimizer and Actor Recommender use external model APIs (such as OpenAI) to process requests. Your actor metadata is sent to these APIs only when you explicitly trigger an AI-powered feature — 0 background data transmissions to AI providers occur without your action. As documented in OpenAI's API data usage policy, data sent via the API is not used to train OpenAI models.

Methodology and disclaimers

The Compliance Scanner checks actor configurations against a set of heuristic rules derived from Apify's published guidelines and common best practices. It evaluates metadata completeness, schema compliance, input validation, and documentation quality.

How to verify ApifyForge's security claims (4 steps)

ApifyForge encourages users to independently verify its security model rather than take claims at face value. The following 4 steps confirm the token-handling behaviour matches what is described above:

1. Pick a scoped token. In Apify Console → Integrations create a dedicated token named apifyforge-dashboard with the minimum scopes you are comfortable granting. Revoking this token later neutralises every copy of it, including the encrypted record at ApifyForge.
2. Confirm one-click deletion (browser flow). Paste the token into Settings → Apify API Token. The dashboard should immediately recognise the connection. Click Delete token. The next actor-run attempt should fail with a “no token configured” error, confirming the encrypted record was removed.
3. Inspect network traffic (CLI flow). Run npx apifyforge run <tool>with a network monitor (Wireshark, mitmproxy). The CLI's outbound APIFY_TOKEN traffic terminates at api.apify.com only; outbound traffic to apifyforge.com carries aggregated analytics, no raw token.
4. Revoke and test. Revoke the token in Apify Console. The next API call from the dashboard or the CLI fails with an Apify-side 401 — confirming the token is dead everywhere and cannot be reused. Disconnecting at Settings → Disconnect also purges the encrypted record from the ApifyForge database.

Data processing under GDPR

Under GDPR Article 6(1)(b), ApifyForge processes two categories of personal data necessary for contract performance: your OAuth identity (name, email, avatar from GitHub or Google) and computed analytics derived from Apify API metadata. Users may exercise their right to erasure under Article 17 by disconnecting their account or emailing [email protected].

Actor payload data — the actual content your actors scrape, which may contain personally identifiable information (PII) — is not accessed, transmitted to, or stored by ApifyForge. Under the data minimization principle (Article 5(1)(c)), ApifyForge reads only dataset metadata (item counts, schema information), never the items themselves. Dataset items remain entirely on Apify's infrastructure. If you used the browser flow, ApifyForge additionally stores an AES-256-GCM-encrypted copy of your Apify API token, deletable in one click and revocable on Apify's side at any time.