Security
Enable two-factor authentication, manage active sessions and trusted devices.
The CanalAPI console layers multiple account-security controls on top of basic credentials:
- Login password + email verification (required at registration)
- Two-factor authentication / 2FA (optional, strongly recommended)
- Active session management
- Trusted devices and new-device login alerts
Two-factor authentication (2FA / TOTP)
2FA requires a one-time code in addition to your password, dramatically reducing the impact of credential theft.
Enable
- Open Console → Settings → Security.
- Click Enable two-factor authentication.
- Scan the QR code with any TOTP app:
- Recommended: 1Password, Bitwarden, Authy, Google Authenticator, Microsoft Authenticator.
- Enter the 6-digit one-time code on the confirmation screen to activate.
- Download and securely store the backup codes immediately. Each backup code allows a one-time login if you lose the authenticator, and is invalidated once used.
Sign in
After 2FA is enabled, the regular email-password login is followed by a second step:
- Enter the 6-digit code from your TOTP app.
- If you no longer have the TOTP app, click Use backup code and enter one of your backup codes.
Disable or reset
- Disabling 2FA requires another valid TOTP code or backup code.
- If your backup codes are used up or lost, regenerate them under Settings → Security; the previous batch becomes invalid immediately.
If you lose both the authenticator and every backup code, contact support via the console for a manual identity check. The process can take several business days.
Active sessions
Console → Security → Active sessions lists every valid sign-in for your account:
- Device / browser info
- IP address and approximate location
- Sign-in time and last activity
- Expiry
You can revoke any session (Sign out) — the session is invalidated immediately and the user has to sign in again.
The session you are currently using is marked with a Current session badge and cannot be revoked from this page to prevent locking yourself out.
Trusted devices and login alerts
Settings → Security also lets you:
- Review recently identified devices
- Remove devices that you no longer use
- Enable new-device login alerts: get an email whenever a new device signs in
Device fingerprinting uses the browser User-Agent plus a few benign signals; clearing browser data resets the device.
Change password
Settings → Security → Change password:
- Enter your current password.
- Set a new password (minimum 8 characters; 12+ with mixed character classes recommended).
- Confirm.
Changing the password does not automatically sign out other sessions; if you suspect a breach, also revoke other sessions under Active sessions.
Forgot password
If you cannot sign in:
- Click Forgot password on the sign-in page.
- Enter the email used at registration.
- Open the reset link sent to that email (valid for 5 – 10 minutes).
- Set a new password on the linked page.
A password reset preserves 2FA; if you lost the authenticator too, follow the Disable or reset flow above.
Relationship to API keys
Account security protects the console / billing / configuration; API keys are independent programmatic credentials. A leaked key cannot expose your password, but it can be used to spend funds. Recommendations:
- Use separate keys per environment so revocation is surgical.
- Use keys server-side only — never embed in browser bundles or mobile apps.
- Revoke and rotate immediately when a leak is suspected — see API Keys.