Security

TinkerSim uses Clerk (clerk.com) for all user authentication. Clerk handles password storage, session tokens, OAuth providers, and multi-factor authentication. TinkerSim never stores raw passwords.

Session tokens are short-lived JWTs issued by Clerk and validated server-side on every protected request. All auth traffic is transmitted over HTTPS.

Circuit projects are stored in Google Firebase Firestore. Each document is scoped to the authenticated user's UID — no other user or org can read or write your circuits.

Anonymous (not signed-in) sessions persist circuit state in browser localStorage only. Closing browser storage or switching devices will lose unsaved anonymous work. Sign in to sync across devices.

For signed-in users, the canvas syncs to Firestore automatically with a 3-second debounce (max 30-second flush). Changes are also flushed when you switch tabs or close the page.

If a Firestore write fails, the app shows an in-app error toast. The current canvas state is always available in localStorage as a fallback.

Circuit data is validated against a versioned schema (schemaVersion: 1) on load. If data is detected as corrupted, the app clears the canvas and shows an error — it will not silently load broken state.

TinkerSim requires a modern, evergreen browser. Supported: Chrome 112+, Firefox 113+, Edge 112+.

Safari is not currently supported. The ngspice-wasm simulation engine relies on SharedArrayBuffer and WASM threads, which require cross-origin isolation headers that Safari handles inconsistently as of this writing.

Mobile browsers are not officially supported. The canvas interaction model (drag, pan, zoom, multi-select) is designed for desktop pointer input.

Your circuits are stored as long as your account is active. You can delete individual projects from within the app at any time — deletion is immediate and permanent.

To delete your account and all associated data, open account settings (top-right user menu in the app) and select "Delete account." This removes your Clerk account and triggers deletion of all Firestore documents scoped to your user ID.

TinkerSim does not sell or share user circuit data with third parties.

If you discover a security issue, please email security@tinkersim.io. We aim to acknowledge reports within 48 hours.