Security DocumentationTork supports multiple authentication methods to secure your API access, from simple API keys to production-grade JWT tokens with automatic rotation.
API Key Authentication
Secure API keys with SHA-256 hashing, automatic rotation support, and granular scoping.
- Keys prefixed with tork_ for easy identification
- SHA-256 hashing - raw keys never stored
- Automatic last-used tracking
- Revocation support with immediate effect
JWT Authentication
Industry-standard JWT tokens using ES256 (ECDSA) algorithm for maximum security.
- ES256 algorithm (ECDSA with P-256 curve)
- 15-minute access token TTL
- 7-day refresh tokens with rotation
- JTI-based token revocation
- IP binding and device fingerprinting
OAuth Integration
Seamless authentication via trusted identity providers.
- Google OAuth 2.0
- GitHub OAuth
- Secure state parameter validation
- PKCE support for mobile apps
Multi-dimensional rate limiting protects against abuse while ensuring fair usage across all customers. Limits are enforced per IP, API key, organization, and endpoint.
Subscription Tier Limits
Protection Features
All API inputs are validated against known attack patterns before processing. Our validation layer blocks common injection attacks and enforces strict data formats.
Blocks UNION SELECT, DROP TABLE, and other SQL injection patterns
SELECT * FROM users; DROP TABLE--Prevents script injection, event handlers, and encoded payloads
<script>alert("xss")</script>Blocks shell commands, pipe operators, and command chaining
; rm -rf / && cat /etc/passwdPrevents directory traversal and file system access attempts
../../../etc/passwdAdditional Validations
Server-Side Request Forgery (SSRF) protection blocks attempts to access internal resources, cloud metadata endpoints, and private network ranges.
Private IP Ranges
10.0.0.0/8 (Class A private)172.16.0.0/12 (Class B private)192.168.0.0/16 (Class C private)127.0.0.0/8 (Loopback)169.254.0.0/16 (Link-local)
Cloud Metadata Endpoints
AWS: 169.254.169.254GCP: metadata.google.internalAzure: 169.254.169.254DigitalOcean: 169.254.169.254
Additional Protections
DNS rebinding preventionRedirect chain limitsProtocol validation (HTTPS only)Port restrictions
All responses include security headers that protect against common web vulnerabilities and enforce secure communication.
Content-Security-Policydefault-src 'self'; script-src 'self' 'unsafe-inline'...Prevents XSS and data injection attacks
X-Frame-OptionsDENYPrevents clickjacking by blocking iframe embedding
X-Content-Type-OptionsnosniffPrevents MIME type sniffing attacks
Strict-Transport-Securitymax-age=31536000; includeSubDomainsEnforces HTTPS connections
Referrer-Policystrict-origin-when-cross-originControls referrer information leakage
Permissions-Policycamera=(), microphone=(), geolocation=()Restricts browser feature access
Your data is protected at every stage with encryption, access controls, and compliance certifications.
Encryption
Industry-standard encryption for all data
- TLS 1.3 for data in transit
- AES-256 encryption at rest
- Secure key management
- Perfect forward secrecy
PII Protection
Automatic detection and redaction of sensitive data
- Real-time PII detection
- Configurable redaction rules
- Support for 50+ PII types
- Audit trail for all redactions
Compliance
Meeting enterprise security standards
- GDPR compliant (DPA available)
- HIPAA ready (BAA available)
- CCPA compliant
- SOC 2 Type II (in progress)
Comprehensive security event logging with threat scoring, alerting, and SIEM integration support.
Features
Responsible Disclosure
We take security seriously and appreciate responsible disclosure of vulnerabilities. If you discover a security issue, please contact us privately.
Please allow up to 48 hours for an initial response. We will work with you to understand and resolve the issue promptly.