Enforgate
Start free
Browse documentation

How does Enforgate handle security and data?

Enforgate is in the path of sensitive actions, so it's built to hold as little sensitive data as possible and to fail safe. These rules are non-negotiable in the codebase.

Arguments are never stored in the clear

Tool-call arguments often contain the sensitive part of an action — a recipient, a query, a dollar amount. Enforgate never persists or logs raw arguments. Policy conditions evaluate them in memory; what goes to the database is a sha256 hash of the canonicalized arguments. The audit log can prove that two calls had the same arguments without ever revealing them.

API keys are stored hashed

A raw API key is shown once, at creation. The database keeps only a sha256 hash and a short display prefix (so you can recognise a key in a list). A leaked database can't be used to authenticate, and Enforgate itself can never display your key again.

Stored secrets are encrypted

When you configure your own SMTP server for approval emails, the SMTP password is encrypted with AES-256-GCMbefore it's stored — the plaintext never touches the database. The encryption key is derived from a server-side secret (SMTP_SECRET_KEY), and the password is write-only in the dashboard: you can replace it, but it's never read back to the UI or any API response.

Fail closed

Every ambiguous situation resolves to “deny,” not “allow”:

  • No rule matches and no default is set → the engine denies.
  • A rule's regex is invalid → it doesn't match (and default-deny backstops it).
  • The audit write fails → /v1/check returns an error and no verdict.
  • An approval times out, or the approval infrastructure is unreachable → the held call is denied.

What is recorded

The audit log keeps, per call:

  • the server and tool name,
  • the arguments hash (not the values),
  • the verdict, the matching policy/rule, and the reason,
  • the status (completed, blocked, error, or pending) and latency,
  • and, for approvals, who resolved it and when.

Account data & retention

Account records hold your email, name, and OAuth provider identifiers (or a bcrypt password hash for email/password accounts). Audit and usage records are retained while your account is active so the dashboard's feed, overview, and usage views work. For specifics on collection, retention, and deletion, see the privacy policy.