Skip to Content
Account & WorkspaceSecurity

Security

Authentication

Formtorch accounts use Clerk  for authentication. You can sign in with:

  • Email and password
  • Google OAuth

Multi-Factor Authentication

MFA configuration in the dashboard is coming soon. To enable MFA now, go to your Clerk account settings  and enable Two-step verification under Security. This protects your account immediately.

Multi-factor authentication (MFA) adds an extra layer of protection to your account. Once enabled, signing in requires both your password and a time-based one-time code from an authenticator app.

Session management

Each sign-in creates a new session. Sessions expire after a period of inactivity. To sign out of all active sessions, use Sign out of all devices in your account settings.

Responsible disclosure

If you discover a security vulnerability in Formtorch, please report it to security@formtorch.com. We take security reports seriously and will respond promptly.

API key security

API keys have full read/write access to your forms and submissions. Treat them like passwords:

  • Store keys in environment variables, not source code
  • Revoke keys you no longer use from Settings → API Keys
  • If a key is compromised, revoke it immediately — revoked keys stop working at once

See API Keys for full management instructions.

Data security

  • All data is encrypted in transit (TLS 1.2+)
  • Submissions are stored in an isolated Neon Postgres database
  • API keys are hashed at rest and shown only once at creation
  • Unsubscribe links use HMAC signatures — no tokens stored in the database
Last updated on
Team MembersOverview