Security & Trust Model
FlareWatch deploys resources into your Cloudflare account, then those resources run there.
API token handling in the wizard
API tokens are encrypted before temporary session storage. They are stored in session KV with a short TTL (about 30 minutes) and refreshed while active.
Tokens are used for validation/deploy/delete operations. They are not part of your deployed runtime and can be revoked after deployment.
What is stored during wizard sessions
Session data in wizard KV can include:
- account ID and workers subdomain,
- monitor/branding/notification/security selections,
- encrypted token and encrypted temporary passwords.
Session records use TTL-based expiration and can also be cleared explicitly.
Runtime ownership
After deployment, runtime resources are in your account. Your deployed resources are described in You Own Everything.
Password storage
When auth is enabled, credentials are deployed to your status-page worker as Cloudflare Worker secrets using PBKDF2-SHA256 password hashing (salted; no plaintext password storage in deployed secrets). During wizard setup, temporary password values are encrypted in session KV with a short TTL.
Data flow notes
- Monitor state/history stays in your Cloudflare KV.
- If you configure external webhooks, alert payloads are intentionally sent to those endpoints.
- FlareWatch control-plane availability is not required for already-deployed workers to serve traffic.