Account security
Suward holds the lock at the door. Protect access with two-factor authentication, split work into organizations and projects, and use roles to control who can do what.
Two-factor authentication
TOTP from your authenticator
Turn it on with SetupTwoFactor, scan the QR into your authenticator app, then confirm with Activate to lock it in. From that point on, every sign-in through SignInEmailPassword asks for the rolling six-digit code alongside your password, so a stolen password alone gets nobody in. Disable removes it again if you ever need to.
Backup codes
Lose the phone and you're not locked out. A set of one-time backup codes lets you sign in by passing backup_code instead of the TOTP code. Used one up, or want a clean set? RegenerateBackupCodes issues fresh ones and retires the old.
Organizations, projects, roles
Your account is an organization. Inside it sit projects, one per app, environment, or client. API keys and payments are scoped to a project, so access lines up with the work. Roles such as ROLE_OWNER decide who can do what, and you invite people with InviteOrganizationMember or InviteProjectMember.
One honest caveat. Invitations send today, but accepting one and managing project members get their full screen in the dashboard, and that's a v2 thing. The model is real. The API is there. The polished UI is on its way.
Password reset
Forgot it? InitPasswordReset emails a confirmation link, and CompletePasswordReset sets the new password only once you've followed that link from your own inbox, so nobody resets your password without holding your email. Already signed in and just want a change? ChangePassword handles that directly. The flow never trusts the request without the email step.
Sign-in methods
Email and password
Live and working, with 2FA layered on top through SignInEmailPassword.
Telegram
The backend is built, but there's no button in the UI yet. So on v1 we don't list Telegram as an available method. A control that does nothing helps no one. It switches on with the dashboard.
A few things aren't shipped, and we'd rather say so. Telegram sign-in has no UI on v1. Accepting an invite has no screen yet, though the API exists. A full audit log and role management inside the dashboard are on the roadmap, landing with v2. None of these are presented here as done.
Account security FAQ
TOTP from any standard authenticator app, set up with SetupTwoFactor and confirmed with Activate. Backup codes come with it for the day you don't have the phone.
Sign in with a backup code instead of the TOTP code, then generate a fresh set with RegenerateBackupCodes. Keep that set somewhere your phone isn't.
Organize work into projects and invite people with InviteOrganizationMember or InviteProjectMember, then set what they can do with roles. Heads up: invitations send now, but accepting one is part of the v2 dashboard.