Authentication & Security

Enterprise-grade security with flexible authentication options and comprehensive protection

Overview

Instafill.ai's authentication system supports four sign-in methods: Google OAuth, Microsoft OAuth, email/password, and SSO (Enterprise). OAuth provider logic handles the identity exchange with Google and Microsoft without storing third-party passwords.

Passwords for email/password accounts are hashed using a strong adaptive hashing algorithm, which applies a cost factor during hashing so that plain-text credentials are never stored. After any successful authentication — regardless of method — the system issues a JWT. This token is then validated on every subsequent request by middleware running in both the API layer and the processing service, so the same credential is honored consistently across both service layers.

Two-factor authentication can be enabled at the user level or enforced across an entire organization, and adds an SMS verification step before the final JWT is issued. CAPTCHA protection via Cloudflare Turnstile is applied to email/password sign-ins to block automated credential attacks.

Key Capabilities

  • Four Authentication Methods: Google OAuth, Microsoft OAuth, email/password with adaptive password hashing, and Enterprise SSO
  • Unified JWT Issuance: A JWT is issued after successful authentication; the same JWT format is validated by both service layers
  • Two-Factor Authentication: SMS codes delivered before the final JWT is issued; can be enforced organization-wide (Enterprise)
  • CAPTCHA Protection: Cloudflare Turnstile applied to email/password sign-in flows to block bots and credential stuffing
  • OAuth Provider Abstraction: Google and Microsoft flows handled by dedicated provider logic — both result in the same JWT output
  • Session Management: JWTs carry workspace and role claims used by both service layers to enforce access boundaries
  • Account Recovery: Secure password reset via email verification; backup codes available when 2FA is active
  • Audit Logging: Authentication events — successful logins, failed attempts, 2FA challenges — recorded with timestamp and IP

How It Works

  1. Sign-In Options: Users authenticate via one of four methods:

    • Google OAuth — Instafill.ai never receives the Google password; only the identity assertion is exchanged
    • Microsoft OAuth — same pattern; no Microsoft password is transmitted
    • Email/password — credential verified against a stored password hash
    • SSO (Enterprise) — organization-level identity provider configured by org admins

  2. CAPTCHA Verification: Email/password sign-ins pass through Cloudflare Turnstile before credentials are checked, blocking automated login attempts.

  3. 2FA Challenge (if enabled): After the first factor is verified, a 6-digit SMS code is sent. The final JWT is not issued until this code is confirmed.

  4. JWT Issuance: On successful authentication, a JWT is issued containing the user identity, workspace membership, and role claims. This token is the single credential used across both service layers.

  5. Ongoing Request Validation: Every API request presents the JWT to middleware in both service layers. The middleware verifies the token signature and extracts the workspace claim to enforce data isolation — no cross-workspace access is possible regardless of which service layer handles the request.

Use Cases

Authentication controls are the entry point for regulated-industry access policies. A healthcare practice filling CMS-1500 claims or I-485 immigration forms configures role-based workspace membership so clinical staff and billing teams access different form sets — the workspace isolation is enforced at the JWT claim level, not by convention. Law firms use workspace separation to maintain client matter confidentiality across teams handling similar form types (e.g., W-4 onboarding packets for different clients). Enterprises with distributed workforces enforce SSO and mandatory 2FA at the organization level so that all authentication flows through corporate identity standards without requiring per-user configuration.

Real-World Example: Healthcare organizations handling sensitive credentialing data have implemented secure workflows for multi-hospital physician credentialing with role-based access ensuring only authorized staff view completed credential packets.

Benefits

  • Consolidated Token Format: The same JWT format is honored by both service layers, so there is no separate credential or session to manage
  • No Plain-Text Password Storage: Adaptive password hashing means passwords cannot be recovered even from a database backup
  • Provider Flexibility: Teams already using Google Workspace or Microsoft 365 authenticate with existing credentials — no new password to manage
  • Enforcement at Scale: Organization-wide 2FA enforcement and SSO mean security policies apply uniformly to every member without per-user setup
  • Compliance Logging: Authentication events are logged with timestamps and IP addresses to satisfy HIPAA technical safeguard documentation requirements
  • Phishing Resistance: OAuth flows never transmit a password to Instafill.ai; SMS 2FA adds a second factor that phished passwords alone cannot bypass

Security & Privacy

All data is workspace-scoped and protected by JWT authentication middleware running across both service layers.

Password Security:

  • Passwords are hashed using an adaptive algorithm; plain-text credentials are never stored or logged
  • Minimum complexity requirements enforced at account creation and password reset

Session Protection:

  • HTTP-only, Secure, SameSite cookies protect browser sessions from XSS and CSRF
  • JWTs carry an expiration claim; expired tokens are rejected by middleware in both service layers
  • Refresh tokens allow session continuity without re-entering credentials

Network Security:

  • All authentication traffic encrypted with TLS
  • IP address recorded on each authentication event for anomaly detection and audit purposes

Monitoring & Response:

  • Progressive delays applied after repeated failed login attempts
  • Cloudflare Turnstile blocks automated credential attacks on email/password endpoints
  • Account lockout triggered after sustained failed attempts; account owner notified

Privacy:

  • Google and Microsoft OAuth flows share only email and display name — no inbox or calendar access
  • Authentication logs retain IP, timestamp, and success/failure outcome; no form content is logged at authentication time

Platform Updates: Enhanced data validation through field flagging and accuracy improvement features provides additional quality control layers for secure form processing.

Common Questions

Which authentication method should I use?

For most users: Google or Microsoft OAuth is recommended because:

  • One-click sign-in using an existing account — no new password to manage
  • Instafill.ai never receives or stores your Google/Microsoft password
  • Authentication security (breach detection, account recovery) is handled by the OAuth provider

Use email/password if:

  • Your organization does not use Google Workspace or Microsoft 365
  • You require direct credential management independent of a third-party provider

Enable 2FA if:

  • You handle sensitive form types (CMS-1500 claims, I-9 employment verification, I-485 immigration, physician credentialing)
  • Your compliance framework (HIPAA, SOC 2) requires multi-factor authentication
Is my data safe if I use OAuth (Google/Microsoft) sign-in?

Yes. The OAuth flows exchange only an identity assertion — your email address and display name — with Instafill.ai. Your Google or Microsoft password is never transmitted to or stored by Instafill.ai.

The resulting session JWT is identical in structure to one issued after an email/password login. Your form data in Instafill.ai is scoped to your workspace and has no connection to your Google or Microsoft account contents.

You can revoke Instafill.ai's OAuth access at any time from your Google or Microsoft account security settings.

What happens if someone tries to hack my account?

Instafill.ai has multiple protections against account compromise:

  1. CAPTCHA: Cloudflare Turnstile blocks automated login attempts on email/password endpoints before credentials are checked
  2. Progressive Delays: Repeated failed attempts on the same account trigger increasing wait times
  3. Account Lockout: After sustained failed attempts, the account is locked and the owner is notified
  4. 2FA: If enabled, an attacker who obtains your password still cannot log in without the SMS code sent to your registered phone

You will receive email notifications for password changes and 2FA configuration changes.

How long do sessions last?

Session lifetime is determined by the JWT expiration claim set at issuance:

  • Browser sessions: Active sessions persist until you sign out or the JWT expires
  • API tokens: Access tokens expire after 1 hour; refresh tokens allow renewal without re-authentication
  • Inactive sessions: Sessions inactive beyond the configured idle timeout require re-authentication

Organization admins (Enterprise) can configure shorter idle timeouts for workspaces handling sensitive data such as HIPAA-covered PHI.

Can I see everywhere my account has been accessed?

Yes. Authentication events are logged with date, time, IP address, and authentication method (Google OAuth, Microsoft OAuth, email/password). Organization administrators can view login history for all workspace members for security auditing and compliance review.

What if I get locked out of my account?

OAuth users (Google/Microsoft): As long as you have access to your Google or Microsoft account, you can always sign in — there is no separate Instafill.ai password to lose.

Email/password users:

  1. Click "Forgot Password" on the login page
  2. Receive a reset link via email (valid for 1 hour)
  3. Set a new password; it is hashed before being saved
  4. If 2FA is active, confirm with the SMS code after resetting

Lost 2FA phone: Use a backup code generated when you enabled 2FA, or contact [email protected] with identity verification to temporarily disable 2FA.

Does Instafill.ai support single sign-on (SSO) for enterprises?

Yes. Enterprise customers can configure SSO so that employees authenticate through their existing corporate identity provider. The SSO flow terminates in the same JWT issuance as all other auth methods, so workspace access and role enforcement work identically after SSO login.

Contact [email protected] to configure enterprise SSO for your organization.

Related Features

workspaces

Workspace Management

Isolated team workspaces for collaboration. Manage members, set permissions, configure workspace set...

lock_clock

Two-Factor Authentication (2FA)

SMS-based two-factor authentication for enhanced account security. Organization-level 2FA enforcemen...

business

Organization Management

Multi-tenant organization structure with role-based access control. Manage teams, set policies, cont...

vpn_key

OAuth & OpenID Connect (OIDC)

Full OAuth 2.0 authorization server with OIDC support. Enable third-party integrations, SSO, and sec...

password

API Key Management

Create, rotate, and manage API keys for programmatic access. Secure server-to-server authentication ...

enhanced_encryption

Data Encryption & Security

Workspace-scoped AES encryption for text content, Azure Blob Storage for binary files, and Azure Key...

Ready to get started?

Start automating your form filling process today with Instafill.ai

Try Instafill.ai View Pricing