Skip to main content

Account security

Sessions

Logins create rotating refresh sessions. GET /v1/me/sessions lists them (device, IP, last use); DELETE /v1/me/sessions/{id} revokes one remotely — "log out that browser I left open".

Changing your password

POST /v1/me/change-password takes your current password (plus a TOTP code when 2FA is on), then revokes every refresh session and emails a security notice. Accounts that sign in only with SSO have no password to change and receive password_not_set.

Changing your email

Email changes are verified end-to-end: POST /v1/me/change-email sends a single-use confirmation link (1-hour TTL) to the new address and an alert to the current one. Nothing changes until POST /v1/auth/change-email/confirm runs — then the new address becomes your verified login identity and all sessions are revoked.

Two-factor authentication

TOTP-based 2FA with single-use backup codes. Once enabled, login requires the code, and sensitive operations (password/email changes) ask for a fresh TOTP too.