Account & security

Your account settings live under Settings, with a left-hand rail that links to each area:

Profile — your account details.
Security — two-factor authentication and backup codes.
Active sessions — every browser signed in to your account.
API keys — bearer tokens for the REST API.
Organisations — the orgs you belong to.

Profile

The Profile page (the default Settings page) shows your account basics:

Email
Name (shown as a dash if you didn’t set one)
Member since — the date you created the account

Password

Changing your password

Aloft doesn’t yet have an in-app “change password” form for signed-in users. To set a new password, use the password-reset flow below — it works whether or not you’re currently signed in, and signs you in with the new password when you’re done.

Forgot / reset your password

On the sign-in page, click Forgot password.
Enter your email and submit.
Aloft always shows the same “check your inbox” confirmation, whether or not the email matches an account — so nobody can use this page to discover which emails are registered. If you do have an account, a reset email is on its way.
Open the email and click Choose a new password. The link is valid for 30 minutes.
Enter a new password (at least 8 characters) and submit. You’re signed in automatically and taken to your dashboard.

Two-factor authentication (2FA)

Two-factor authentication adds a one-time code on top of your password, so your account stays safe even if your password leaks. Aloft uses TOTP — the standard supported by authenticator apps like Google Authenticator, 1Password, Bitwarden, and Authy.

Enabling 2FA

Go to Settings → Security.
Click Enable two-factor authentication.
Scan the displayed QR code with your authenticator app. If you can’t scan, copy the secret shown beneath the code and add it to your app manually.
Enter the 6-digit code from your app and click Verify.
On success, 2FA turns on and Aloft shows your backup codes — save them now (see below).

Once enabled, the Security page shows an On badge and the date 2FA became active.

Backup codes

When you enable 2FA, Aloft generates 10 backup codes. Use one in place of an authenticator code if you ever lose access to your app.

Each code is single-use — once you use it, it’s consumed.
They’re shown only once, right after you enable 2FA. Copy them and store them somewhere safe.
The Security page shows how many unused codes remain, and warns you when you’re down to 3 or fewer.

To get a fresh set, click Regenerate backup codes on the Security page. Regenerating invalidates the old set and issues 10 new codes.

Disabling 2FA

On the Security page, click Disable two-factor. This turns off 2FA and clears your backup codes. You can re-enable it any time (you’ll scan a new QR code and get new backup codes).

Active sessions

Every browser that’s signed in to your account shows up under Settings → Active sessions. For each session you can see when it started and when it expires.

Your current browser is tagged This browser and can’t be revoked from the list — sign out normally to end it.
Click Revoke next to any other session to sign that browser out immediately.
If more than one session is active, use Sign out other sessions to revoke every session except the one you’re using right now — handy if you signed in on a shared or lost device.

If your Aloft deployment has them configured, you’ll see Sign in with Google and/or Sign in with GitHub buttons on the sign-in page, above the email-and-password form. These let you sign in with your existing Google or GitHub account instead of a password.

Where things live

Setting	Location
Profile details	Settings → Profile
Two-factor authentication & backup codes	Settings → Security
Active sessions	Settings → Active sessions
API keys	Settings → API keys
Organisations	Settings → Organisations

For getting set up from scratch, see Getting started. To collaborate with others, see Teams & roles.