Security Overview
At TypeForge AI, we implement robust, industrial-strength security patterns to protect your telemetry metrics, identity, and personal records. Below is an overview of how we secure your data from client to database.
1. Secure Authentication & JWT Verification
User sessions are fully managed by Clerk using OpenID Connect (OIDC) protocols. Clerk issues cryptographically signed JSON Web Tokens (JWTs) on the client side. When you communicate with our FastAPI backend, the token is sent securely in the Authorization: Bearer header. The backend validates this token cryptographically using Clerk's public keys, verifying the signature, issuer, and expiration before processing any database operations.
2. Supabase Database Row-Level Security (RLS)
All database tables in our Supabase PostgreSQL instance are protected by Row-Level Security (RLS) policies. When a request is made, PostgreSQL inspects the authenticated User ID (passed securely via JWT validation middleware) and restricts data access. A user is only authorized to read, write, or update records belonging to their unique user ID, preventing cross-user data leakage.
3. Vercel API Reverse Proxy (Key Protection)
To avoid exposing internal API keys and server structures in browser inspection panels, we use a secure Vercel API Proxy. All API calls from the client use relative endpoints (like /api/v1/sessions) which Vercel forwards to the backend server. Sensitive credentials (such as database URLs and service keys) remain hosted as environment variables in Render/Railway hosting platforms and are never transmitted to the browser client.
4. Cloudflare Turnstile Bot Shield
Our feedback and contact forms are protected by Cloudflare Turnstile CAPTCHA shields. Turnstile evaluates user behavior invisibly to prevent spam submissions and distributed API exhaustion attacks. Form submissions are verified server-side via a backend proxy request to Cloudflare's token verification endpoints using secret API keys stored in our secure backend environment variables.