CanalAPI
User GuideDeveloper GuideExamples

Security

Enable two-factor authentication, manage active sessions and trusted devices.

The CanalAPI console layers multiple account-security controls on top of basic credentials:

  • Login password + email verification (required at registration)
  • Two-factor authentication / 2FA (optional, strongly recommended)
  • Active session management
  • Trusted devices and new-device login alerts

Two-factor authentication (2FA / TOTP)

2FA requires a one-time code in addition to your password, dramatically reducing the impact of credential theft.

Enable

  1. Open Console → Settings → Security.
  2. Click Enable two-factor authentication.
  3. Scan the QR code with any TOTP app:
    • Recommended: 1Password, Bitwarden, Authy, Google Authenticator, Microsoft Authenticator.
  4. Enter the 6-digit one-time code on the confirmation screen to activate.
  5. Download and securely store the backup codes immediately. Each backup code allows a one-time login if you lose the authenticator, and is invalidated once used.

Sign in

After 2FA is enabled, the regular email-password login is followed by a second step:

  • Enter the 6-digit code from your TOTP app.
  • If you no longer have the TOTP app, click Use backup code and enter one of your backup codes.

Disable or reset

  • Disabling 2FA requires another valid TOTP code or backup code.
  • If your backup codes are used up or lost, regenerate them under Settings → Security; the previous batch becomes invalid immediately.

If you lose both the authenticator and every backup code, contact support via the console for a manual identity check. The process can take several business days.

Active sessions

Console → Security → Active sessions lists every valid sign-in for your account:

  • Device / browser info
  • IP address and approximate location
  • Sign-in time and last activity
  • Expiry

You can revoke any session (Sign out) — the session is invalidated immediately and the user has to sign in again.

The session you are currently using is marked with a Current session badge and cannot be revoked from this page to prevent locking yourself out.

Trusted devices and login alerts

Settings → Security also lets you:

  • Review recently identified devices
  • Remove devices that you no longer use
  • Enable new-device login alerts: get an email whenever a new device signs in

Device fingerprinting uses the browser User-Agent plus a few benign signals; clearing browser data resets the device.

Change password

Settings → Security → Change password:

  1. Enter your current password.
  2. Set a new password (minimum 8 characters; 12+ with mixed character classes recommended).
  3. Confirm.

Changing the password does not automatically sign out other sessions; if you suspect a breach, also revoke other sessions under Active sessions.

Forgot password

If you cannot sign in:

  1. Click Forgot password on the sign-in page.
  2. Enter the email used at registration.
  3. Open the reset link sent to that email (valid for 5 – 10 minutes).
  4. Set a new password on the linked page.

A password reset preserves 2FA; if you lost the authenticator too, follow the Disable or reset flow above.

Relationship to API keys

Account security protects the console / billing / configuration; API keys are independent programmatic credentials. A leaked key cannot expose your password, but it can be used to spend funds. Recommendations:

  • Use separate keys per environment so revocation is surgical.
  • Use keys server-side only — never embed in browser bundles or mobile apps.
  • Revoke and rotate immediately when a leak is suspected — see API Keys.

On this page