Skip to main content

Is it safe to save your Companies House authentication code?

By DormantFile · Updated 10 June 2026

Your Companies House authentication code is a 6-character code that acts as your company's online signature. Anyone who has it, together with your company number, can file documents for your company online — accounts, officer changes, a change of registered office. So when a filing service offers to save it for next year, "is that safe?" is exactly the right question to ask.

DormantFile's autopilot is built on storing that code, so this guide is partly about our own product. Here is the honest version of the trade-off.

What the code actually protects

The authentication code is the credential Companies House uses in place of a wet signature for online filings. It is company-level, not person-level — there is one code per company, and whoever presents it is treated as authorised. (If you're hazy on the basics — where it comes from, what to do if it's lost — start with our complete guide to the authentication code.)

That makes it sensitive, but it's worth being precise about the risk. The code does not give access to a bank account or to money. The realistic abuse is fraudulent filings — and every filing made with it appears on the public register, so misuse is visible rather than silent. Sensitive, yes; catastrophic in the way a leaked banking password is, no.

Holding client codes is normal industry practice

If you've ever used an accountant or any filing software for your company, someone other than you has almost certainly held your code. Accountants keep client authentication codes on file as a matter of routine — it is how they file on clients' behalf year after year. Company formation agents typically generate and hold the code from day one. Filing software platforms store it so you don't re-enter it per submission.

So the question is rarely "should anyone ever hold my code?" — that ship sailed for most companies at incorporation. The better questions are: who holds it, how is it stored, what is it used for, and can I revoke it?

How DormantFile handles it

Our default is that we don't store your code at all. When you file dormant accounts normally, the code is entered at the point of filing, sent to Companies House over an encrypted connection, and not written to our database.

Storage only happens if you explicitly opt in to autopilot — the feature that prepares next year's dormant accounts and files them when you click confirm in an email 30 days before your deadline. If you do opt in:

  • The code is encrypted at rest with AES-256-GCM. It is never logged and never accessible to our team.
  • It is used for exactly one thing: submitting the dormant accounts filing you confirm. Nothing files without your click — one click a year, never zero.
  • If you turn autopilot off, the code is deleted immediately and permanently. No retention period, no archive.

These claims match our security page word for word — if the two ever disagreed, the security page wins.

The honest trade-off

What you give up by opting in: a copy of your company's online signature exists, encrypted, in someone else's database. However good the encryption, that is one more place the code lives, and you should only accept that from a provider you'd trust the way you'd trust an accountant.

What you get: you stop being the single point of failure for a deadline that carries automatic penalties from £150 to £1,500. For most dormant company owners, the realistic threat to the company isn't a database breach — it's forgetting a date once a year for a company they never think about.

If that trade isn't for you, don't opt in — nothing changes, you enter the code each year at the point of filing, and our reminder emails still cover the remembering. You can also change your code at Companies House at any time, which instantly invalidates every stored copy anywhere.

One scope note: autopilot stores the Companies House code only, for dormant accounts only — micro-entity accounts need fresh figures each year, and your CT600 is always filed by you with your own HMRC login, which we never store.

Key points

  • The auth code is your company's online signature: company-level, filing-only — sensitive, but not bank-account sensitive, and misuse shows up on the public register.
  • Accountants, formation agents, and filing software hold client codes routinely; the real questions are storage, scope of use, and revocability.
  • DormantFile stores your code only with explicit opt-in to autopilot, encrypted with AES-256-GCM, used solely for filings you confirm with a click, and deleted immediately on opt-out.
  • Not comfortable? Don't opt in — manual filing with deadline reminders works exactly as before, and changing your code at Companies House revokes all stored copies.

Related articles

Ready to file your dormant or non-trading company returns?

Set up in minutes. File in under two. Done for the year.

Get started →
Official government APIs · HMRC login never stored