Security &
Data Handling
ApifyForge is a zero-credential-storage analytics platform for Apify web scraping actors. Your Apify API token never leaves your local machine — ApifyForge stores 0 API tokens on its servers. ApifyForge accesses only 5 categories of run metadata (status, duration, resource consumption, dataset item counts, build history) and explicitly excludes 5 sensitive data types: source code, environment variables, dataset items, proxy passwords, and billing information. This follows the principle of least privilege defined in the OWASP Application Security Verification Standard (ASVS 4.0). As of March 2026, dashboard authentication uses OAuth 2.0 via GitHub or Google through NextAuth.js, fully decoupled from Apify credentials. All connections are encrypted with TLS 1.3 at the Cloudflare edge.
Last updated: March 27, 2026
Your Apify API token is never stored by ApifyForge
When you run npx apifyforge init, the CLI prompts for your Apify API token and keeps it on your local machine only — in your APIFY_TOKEN environment variable or .env file. The token is used locally to communicate with the Apify API. Only computed results (revenue figures, success rates, quality scores) are uploaded to your dashboard.
At no point does your token transit through or get stored on ApifyForge infrastructure. Even if the ApifyForge database were compromised, there would be no Apify tokens to steal — they do not exist on ApifyForge servers. This architecture aligns with OWASP Top 10 A07:2021 guidance on identification and authentication failures: eliminating credential storage eliminates the most common attack vector for third-party integrations.
Dashboard auth is separate from your Apify credentials
ApifyForge dashboard authentication uses GitHub or Google OAuth 2.0 (as defined in RFC 6749) via NextAuth.js. This means your dashboard identity and your Apify credentials are completely decoupled — 2 separate credential systems with 0 overlap. Signing in at apifyforge.com/connect creates a session tied to your OAuth provider. Your Apify token is managed separately by the CLI on your machine and is never sent to ApifyForge servers.
5 metadata types accessed, 5 sensitive types excluded
ApifyForge follows the data minimization principle defined in GDPR Article 5(1)(c): it accesses only the metadata required for dashboard analytics. The table below shows exactly what ApifyForge reads from the Apify API v2 and what it never touches.
| Data Type | ApifyForge Access | Apify API Endpoint | Contains Secrets? |
|---|---|---|---|
| Actor list & metadata | Reads | GET /v2/acts | No |
| Run history & status | Reads | GET /v2/acts/{id}/runs | No |
| Dataset metadata | Reads | GET /v2/datasets | No |
| Build logs & versions | Reads | GET /v2/acts/{id}/builds | No |
| Usage & credit stats | Reads | GET /v2/users/me/usage | No |
| Actor source code | Never | N/A | Yes |
| Environment variables | Never | N/A | Yes |
| Dataset items (scraped data) | Never | N/A | Possibly |
| Proxy passwords | Never | N/A | Yes |
| Billing & payment info | Never | N/A | Yes |
Computed analytics cached temporarily, cleared on disconnect
The ApifyForge CLI computes analytics from Apify API metadata — revenue trends, success rates, quality scores, fleet health metrics — and uploads these computed results to your ApifyForge dashboard. This amounts to approximately 2-5 KB of metadata per connected account. The data is cached in PostgreSQL to keep the dashboard responsive.
Cache is refreshed at regular intervals. When you disconnect your account (Settings → Disconnect), all cached analytics data associated with your account is purged from PostgreSQL immediately. No previous cached data is restored if you reconnect — everything is pulled fresh from the Apify API.
4-layer infrastructure with zero stored credentials
Application
Next.js 15 with server-side rendering, TypeScript strict mode
Database
PostgreSQL with AES-256 encryption at rest — stores computed analytics only, 0 API tokens
Edge
Cloudflare DNS, CDN, WAF — DDoS protection, TLS 1.3, HSTS enabled
Auth
GitHub & Google OAuth 2.0 via NextAuth.js — 2 providers, 0 passwords stored, HttpOnly session cookies
No first-party model inference
ApifyForge does not train, host, or run its own AI models. Features like the LLM Optimizer and Actor Recommender use external model APIs (such as OpenAI) to process requests. Your actor metadata is sent to these APIs only when you explicitly trigger an AI-powered feature — 0 background data transmissions to AI providers occur without your action. As documented in OpenAI's API data usage policy, data sent via the API is not used to train OpenAI models.
Methodology and disclaimers
The Compliance Scanner checks actor configurations against a set of heuristic rules derived from Apify's published guidelines and common best practices. It evaluates metadata completeness, schema compliance, input validation, and documentation quality.
Important: The Compliance Scanner provides developer guidance only. It is not legal advice and does not constitute a legal, regulatory, or security audit. For legal compliance requirements (GDPR, CCPA, etc.), consult a qualified legal professional. ApifyForge makes no warranty about the completeness or accuracy of compliance checks.
How to verify ApifyForge's security claims (4 steps)
ApifyForge encourages users to independently verify its security model rather than take claims at face value. The following 4 steps confirm that no credentials leave your machine:
- Inspect network traffic during CLI usage. Run
npx apifyforgewith a network monitor (such as Wireshark or mitmproxy). Verify that yourAPIFY_TOKENis sent only toapi.apify.com, never toapifyforge.com. - Check the dashboard database. Visit Settings in the ApifyForge dashboard. The connected account panel shows only your OAuth identity (name, email, avatar) — no Apify token field exists.
- Review the data payload. The CLI prints a summary of what it uploads before each sync. This summary contains only computed metrics (revenue, success rates, quality scores), never raw tokens or dataset contents.
- Revoke and test. Rotate your Apify API token in Apify Console. Your ApifyForge dashboard continues to display cached analytics — confirming it never stored or depended on the old token.
Data processing under GDPR
Under GDPR Article 6(1)(b), ApifyForge processes two categories of personal data necessary for contract performance: your OAuth identity (name, email, avatar from GitHub or Google) and computed analytics derived from Apify API metadata. Users may exercise their right to erasure under Article 17 by disconnecting their account or emailing [email protected].
Actor payload data — the actual content your actors scrape, which may contain personally identifiable information (PII) — is not accessed, transmitted to, or stored by ApifyForge. Under the data minimization principle (Article 5(1)(c)), ApifyForge reads only dataset metadata (item counts, schema information), never the items themselves. Dataset items remain entirely on Apify's infrastructure.
Frequently asked questions
Is ApifyForge safe to use?
Yes. ApifyForge stores zero API tokens on its servers. Your Apify API token stays on your local machine in your .env file or APIFY_TOKEN environment variable. The CLI communicates directly with the Apify API from your machine — only computed analytics (revenue figures, success rates, quality scores) are uploaded to your ApifyForge dashboard. This follows the principle of least privilege described in the OWASP Application Security Verification Standard (ASVS 4.0): credentials should never be stored by intermediary services that do not require them.
What data does ApifyForge store?
ApifyForge stores two categories of data: (1) your OAuth identity (name, email, avatar from GitHub or Google), and (2) computed analytics derived from Apify API metadata — revenue trends, success rates, quality scores, and fleet health metrics. ApifyForge never stores your Apify API token, actor source code, environment variables, scraped dataset items, or payment information. This amounts to approximately 2-5 KB of metadata per connected account.
Does ApifyForge access my scraped data?
No. ApifyForge accesses only dataset metadata such as item counts and schema information via the Apify API's GET /v2/datasets endpoint. The actual content of your dataset items — the data your actors scrape — remains on Apify's infrastructure and is never transmitted to or stored by ApifyForge. As documented in the Apify API reference, dataset metadata and dataset items are separate endpoints with different access scopes.
How does ApifyForge authentication work?
ApifyForge uses GitHub or Google OAuth 2.0 for dashboard authentication via NextAuth.js, an open-source authentication library for Next.js with over 24,000 GitHub stars. This is completely separate from your Apify credentials. Signing in at apifyforge.com/connect creates a session tied to your OAuth provider. Your Apify API token is managed separately by the CLI on your local machine and is never sent to ApifyForge servers.
Can I delete my data from ApifyForge?
Yes. When you disconnect your account via Settings, all cached analytics data associated with your account is purged from ApifyForge's PostgreSQL database immediately. No previous cached data is restored if you reconnect — everything is pulled fresh from the Apify API. You can also email [email protected] to request full data deletion under GDPR Article 17 (right to erasure) or CCPA Section 1798.105.
Is ApifyForge GDPR compliant?
ApifyForge processes only two categories of personal data under GDPR: OAuth identity information (name, email, avatar) and computed analytics metadata. Under GDPR Article 5(1)(c) — data minimization — ApifyForge collects only data necessary for dashboard functionality. Actor payload data — the actual content your actors scrape, which may contain PII — is never accessed, transmitted to, or stored by ApifyForge. Dataset items remain entirely on Apify's infrastructure.
What encryption does ApifyForge use?
All data in transit between your browser and ApifyForge is encrypted with TLS 1.3, enforced at the Cloudflare edge. Data at rest in PostgreSQL is encrypted using AES-256 at the storage layer. OAuth tokens from GitHub and Google are stored as encrypted session cookies with HttpOnly, Secure, and SameSite=Lax attributes, following OWASP session management guidelines.
What happens to my data if ApifyForge shuts down?
Because ApifyForge stores only computed analytics metadata — not your Apify API token, source code, or scraped data — a shutdown would affect only your dashboard access. All of your actors, datasets, and credentials remain on Apify's infrastructure, completely unaffected. You would lose access to cached revenue trends and quality scores, but these can be recomputed from Apify's API at any time.
Questions about security or data handling? Contact [email protected]. For details on what personal data we collect and your rights, see our Privacy Notice.