AdFlow’s security model and what we protect — and what we don’t.
Transport
All traffic uses HTTPS with TLS 1.3. HTTP connections are automatically redirected to HTTPS. No exceptions.
Authentication
JWT with automatic rotation every 24h. Long-lived tokens don’t exist in the API. For automations, use service tokens generated in Settings → Integrations → API Tokens — these tokens have limited scope and can be revoked individually.
Passwords stored with bcrypt (cost 12). We never store passwords in plain text or reversible hash.
Webhooks
Every payload includes the X-AdFlow-Signature header: HMAC-SHA256 of the body using the endpoint secret. Validate the signature on your server before processing any payload.
→ How to validate the signature
Immutable audit log
Every platform action is recorded append-only. No entry can be edited or deleted — not by admins, not via API. This includes system actions (jobs, automatic rotations).
What we store
| Data | Stored |
|---|---|
| Campaigns, settings | Yes — PostgreSQL database |
| Browser profiles (references) | Yes — id, name, status |
| Proxies (credentials) | Yes — encrypted at rest |
| Browser cookies | No — stay in AdsPower, outside AdFlow |
| Creatives and images | No — managed directly in Meta |
Browser cookies never pass through AdFlow. AdFlow communicates with AdsPower via local API — it doesn’t access, store, or transmit session cookies.
Vulnerability disclosure
Found a security issue? Email: [email protected]
Don’t open a public issue. We respond within 48 business hours and coordinate responsible disclosure.