User Settings
Profile, sessions, password, MFA, account recovery, API tokens.
Tabs
- Profile — display name, timezone, phone (for SMS), SMS carrier gateway, idle-timeout override.
- Sessions — every device currently logged in as you; revoke individually or "revoke all others".
- Password — self-service password change. Requires current password; new must be ≥ 12 chars.
- Two-factor auth — TOTP enrollment (Google/Microsoft/Authy/Symantec VIP/etc). QR + secret + backup codes shown once.
- Account recovery — set 5 security questions; forgot-password prompts 3 of 5 randomly.
- API tokens — issue bearer tokens for scripts/CI with scoped permissions and rate limits.
Deep-linking
Each tab has a stable hash URL — share them with a teammate or bookmark: /ui/settings#profile, /ui/settings#mfa, /ui/settings#recovery, etc.
Gotchas
- Backup codes are shown once. Save them immediately when you enroll MFA; they are not persisted in a recoverable form.
- API tokens bypass MFA + idle timeout by design — that's what lets them work from unattended scripts. Scope them tightly.
- Changing your password revokes all other active sessions as a security precaution.