Account Security
StatusRadar protects your account and your API access with layered controls: strong password hashing, optional two-factor authentication, API tokens you can rotate at will, and full visibility into your active sessions. This page is the starting point — each control has its own detailed guide below.
All account security settings live in the dashboard under Settings → Security (/dashboard/settings?tab=security), with API tokens under Settings → API (/dashboard/settings?tab=api).
What Protects Your Account
| Control | What it does | Where to manage it |
|---|---|---|
| Password | Argon2id-hashed login credential | Settings → Security |
| Two-factor authentication (2FA) | TOTP code required at login, on top of your password | Settings → Security |
| Recovery codes | One-time backup codes if you lose your authenticator | Settings → Security |
| API tokens | Bearer token for programmatic access to the User API | Settings → API |
| Active sessions | View and revoke logged-in browser/device sessions | Settings → Security |
Passwords
Passwords are hashed with Argon2id (memory-hard, 64 MB, 4 iterations, 3 threads) and are never stored or logged in plain text. To change your password, go to Settings → Security, enter your current password, and choose a new one (minimum 8 characters). Changing your password does not log out your other sessions automatically — revoke them explicitly if needed (see Sessions).
Two-Factor Authentication
2FA adds a time-based one-time code (TOTP) on top of your password. After you enter your password at login, you are prompted for the current 6-digit code from your authenticator app. Enabling 2FA also issues a set of single-use recovery codes so you can still get in if you lose your phone.
See Two-Factor Authentication for setup, recovery codes, and disabling.
API Tokens
Programmatic access to the User API uses a personal API token, sent as Authorization: Bearer <token>. You generate it in Settings → API; the token is shown only once. You can revoke it at any time, which immediately stops all access using that token.
See API Tokens for generating, using, and revoking tokens.
API tokens are only one of several credential types on the platform. Probe, OTLP, and RUM ingestion use different schemes. See API Authentication for the full picture.
Active Sessions
Every browser or device you log in from creates a server-side session (Redis-backed, STATUSRADAR_SESSION cookie, HttpOnly + Secure). You can review all active sessions and revoke any of them — individually or all at once except the one you are using right now.
See Session Management for details.
Security Best Practices
- Enable 2FA and store your recovery codes somewhere safe and offline (a password manager works well).
- Treat your API token as a secret — load it from an environment variable or secrets manager, never commit it to version control.
- Rotate tokens periodically and revoke any token that may have leaked.
- Review active sessions after using a shared or public computer, and revoke anything you do not recognize.
- Use a unique, strong password for your StatusRadar account.
Next Steps
- Two-Factor Authentication - Enable TOTP and manage recovery codes
- API Tokens - Generate, use, and revoke your API token
- Session Management - Review and revoke active sessions
- API Authentication - All credential schemes across the platform