For security, Form Engine follows Quickbase security as an extension of Quickbase. It uses Quickbase authentication and User Tokens, following Quickbase roles and permissions. It does not have any separate authentication.
Form Engine does not store Quickbase passwords, data or data-populated documents anywhere outside of the customer's target Quickbase applications. And for instance, when you log into the Form Engine Builder screen with your Quickbase credentials or User Token, we pass those credentials directly to Quickbase to get a ticket that allows the Form Engine to work with Quickbase while that ticket remains open.
Only the compositional metadata and form usage statistics and blank templates that the Form Engine needs to operate are stored outside of Quickbase, in Advantage's Firebase account. Advantage has no access to any customer Quickbase data or assets unless a customer application owner grants us Quickbase permissions, like any other Quickbase user. So you can be comfortable with Form Engine security like with Quickbase security. The Form Engine’s Architecture and Security diagram and specifications are also available under NDA.
We also enable form builders to use Quickbase User Tokens to automatically authenticate users into Form Engine forms and other assets that contain live Quickbase data. When User Tokens are used like this in Form Engine, we follow Quickbase's guidance, and encrypt the User Tokens so they are not exposed in a form's URL or are otherwise accessible.
In addition, Form Engine enables use of Passkeys for optional form-specific user authentication. A Passkey is a Quickbase field in the customer's target application, protected by Quickbase permissions in that application. Like other Quickbase data, Form Engine does not store passkey data anywhere outside of Quickbase. On passkey-protected forms, it prompts the user for a passkey value, and if the user inputs the correct value that matches the value in the Quickbase record field, the form opens for user access.