Account security
Sessions
Logins create rotating refresh sessions. GET /v1/me/sessions
lists them (device, IP, last use); DELETE /v1/me/sessions/{id}
revokes one remotely — "log out that browser I left open".
Changing your password
POST /v1/me/change-password takes your current
password (plus a TOTP code when 2FA is on), then revokes every refresh session and
emails a security notice. Accounts that sign in only with SSO have no password to change
and receive password_not_set.
Changing your email
Email changes are verified end-to-end: POST /v1/me/change-email
sends a single-use confirmation link (1-hour TTL) to the new address and an alert to
the current one. Nothing changes until
POST /v1/auth/change-email/confirm runs — then
the new address becomes your verified login identity and all sessions are revoked.
Two-factor authentication
TOTP-based 2FA with single-use backup codes. Once enabled, login requires the code, and sensitive operations (password/email changes) ask for a fresh TOTP too.