Documentation

Authentication

Sessions are stored in secure session cookies and refreshed automatically while you use the app — there’s nothing to manage for the web UI. For server-to-server access use a programmatic API token (see below).

Sign-up methods

Email + password — verification email is sent immediately. You can sign in once the email is verified.

Forgot your password

Use /forgot-password. We email you a magic recovery link valid for 1 hour. The link logs you in once and prompts to set a new password.

Programmatic API tokens

For server-to-server access, generate a Bearer token under Settings → API. Tokens are scoped to your workspace, count against the same credit balance, and can be revoked at any time. Pass the token via the Authorization: Bearer … header.

Two-factor authentication

2FA via TOTP is on the roadmap. In the meantime, use a strong, unique password and rotate API tokens periodically.

Session length

Sessions are valid for 7 days, refreshed silently on activity. Inactive sessions expire 30 days after the last refresh. Sign out from the user menu top-right or by visiting /auth/signout.