> SECURITY & LIMITATIONS

What ForgeTools protects today

ForgeTools is public through an extension-first, sideloaded distribution model. This page summarizes the controls customers should know about before installing or trading.

Controlled extension distribution

ForgeTools distributes the Chrome extension from the official download page as a versioned ZIP with a SHA256 checksum. We do not rely on a Chrome Web Store listing for this release.

Managed wallet encryption

Managed wallet keys are encrypted server-side and access is restricted through authenticated ForgeTools sessions and command signing controls.

Two-factor authentication

Customers can enable TOTP two-factor authentication from Security & MFA in the dashboard. Enrollment is currently opt-in; second-factor enforcement is held back and will be re-enabled as part of the broader public rollout. Backup codes cover device loss; support-assisted reset is available after identity verification.

Public launch limitations

Some deeper controls, including KMS-backed envelope encryption and self-serve account deletion, are tracked as follow-up projects. Operators maintain an internal risk register and review it quarterly.

No investment advice

ForgeTools is execution software for on-chain activity. Customers remain responsible for trading decisions, tax treatment, and jurisdiction-specific obligations.

How to verify the extension package

  1. 1. Download the extension only from `forgetools.top/download`.
  2. 2. Check the published SHA256 checksum when one is provided.
  3. 3. Keep the unzipped extension folder in a permanent location so Chrome can continue loading it.
  4. 4. Treat ZIPs from Discord, Telegram, or direct messages as untrusted unless they match the official download URL.

How to enable two-factor authentication

  1. 1. Sign in to the dashboard and open Security & MFA from the account menu.
  2. 2. Scan the displayed QR code with an authenticator app (Authy, 1Password, Google Authenticator, or any RFC 6238 client) and enter the 6-digit code to confirm.
  3. 3. Copy the eight backup codes shown immediately after confirmation. They are not shown again — store them in a password manager or print them.
  4. 4. Enrollment is currently opt-in — no action gates on the authenticator code yet. Second-factor enforcement on withdraws, token launches, and sign-in will be re-enabled as part of the broader public rollout.