Security at Foreman

Foreman uses Autodesk identity as the primary authentication method. Users sign in with their existing Autodesk account — no separate passwords to create or manage. Your Autodesk profile, including name, email, avatar, job title, and company, is synced automatically on each sign-in.

• Autodesk SSO — Primary login for all regular users, inheriting Autodesk's enterprise-grade identity security
• OAuth 2.1 with PKCE — All API and MCP integrations authenticate via OAuth 2.1 with mandatory Proof Key for Code Exchange
• Two-factor authentication — Enforced for all system administrators using password-based login, via authenticator app (TOTP)
• Passkey support — WebAuthn/FIDO2 for phishing-resistant, passwordless sign-in (fingerprint, Face ID, security key)
• Account lockout — Automatic lockout after 5 failed login attempts with a 15-minute cooldown period

All data is encrypted both in transit and at rest. We use industry-standard encryption to ensure your project data and credentials are never exposed.

• TLS encryption — All connections are encrypted via TLS, terminated at the reverse proxy
• Encryption at rest — APS credentials and OAuth tokens are encrypted using the .NET Data Protection API before database storage
• Secure cookies — Session cookies are HTTPS-only, HttpOnly (invisible to JavaScript), and use the SameSite=Lax attribute
• Opaque reference tokens — OAuth access tokens are stored as opaque references in the database, enabling immediate revocation

Foreman enforces multiple layers of access control to ensure users can only access what they're authorized to.

• Role-based policies — User, Admin, and Organization Admin roles with distinct permission boundaries
• Per-project MCP access — Each user explicitly enables which projects are accessible to AI assistants
• Per-tool opt-out — Users can disable individual MCP tools they don't need
• Tenant isolation — Each organization's data is isolated via tenant-scoped access policies
• Subscription gating — Feature access enforced by subscription tier, preventing unauthorized use

Foreman runs on dedicated, self-managed infrastructure. No application data is stored in third-party cloud services.

• Self-hosted containers — Application, database, MCP server, and reverse proxy run as isolated Docker containers
• PostgreSQL 16 — All queries use parameterized statements, preventing SQL injection
• Reverse proxy — Caddy terminates TLS and enforces trusted forwarded headers from internal networks only
• Rate limiting — Authentication endpoints are rate-limited to 10 requests per minute per IP address

Foreman implements defence-in-depth with multiple layers of application-level security controls.

We collect only the data necessary to provide the service, and give you full control over your information.

• Personal data export — Download all your personal data at any time from Account Settings, in compliance with GDPR
• Account deletion — Submit a deletion request from your Account Settings. Requests are reviewed by administrators to ensure shared data and active projects are handled properly. You'll receive email notification of approval or rejection.
• Automatic token cleanup — Expired and revoked OAuth tokens are automatically pruned by a scheduled job
• No third-party data sharing — We do not sell your data. The only external API Foreman communicates with is Autodesk Platform Services, on your behalf.

For full details, see our Privacy Policy.

Comprehensive logging and audit trails help administrators maintain visibility and accountability.

• System logging — Warning-level and above events are captured to a database-backed audit log with user and tenant context
• MCP tool usage tracking — Every AI tool invocation is recorded with tool name, duration, success/failure, and timestamp
• Access request audit trail — Every submission, approval, rejection, and revocation is logged with timestamps

If you discover a security vulnerability or have concerns about the security of your data, please contact us immediately. We take all reports seriously and will respond promptly.