Torn IntelSecurity First
Your Torn API key is sensitive. Here's exactly how we protect it and your data.
AES-256-GCM Encryption
All API keys are encrypted at rest using AES-256-GCM, the same standard used by banks and governments. Keys are never stored in plain text.
Two-Factor Authentication
Protect your account with TOTP-based 2FA using Google Authenticator, Authy, or any compatible app.
Limited API Key Only
We only require a Limited Access key — no Full Access needed. We cannot make trades, send money, or perform any actions on your Torn account.
Session Security
Sessions use signed JWTs with automatic expiration. Cookies are httpOnly, Secure, and SameSite to prevent XSS and CSRF attacks.
No Password Storage
We never ask for or store your Torn password. Authentication is done exclusively through the Torn API using your API key.
Automated Security Audits
Every code change runs through 16 automated security checks including static analysis (Semgrep), secret scanning (TruffleHog), dependency audits, and custom SAST rules.
Security Headers
HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy headers protect against common web attacks.
Data Isolation
Each faction's data is isolated by tenant ID. Members can only access their own faction's data. Alliance data requires explicit membership.
Continuous Security Pipeline
Every commit triggers automated security checks. Nothing reaches production without passing all gates.
What We Never Do
Found a vulnerability? Contact us on the Torn Forums.