Skip to main content

Security

Protect your Affilync account with two-factor authentication, secure API keys, and session controls.

Two-Factor Authentication (2FA)

2FA adds a second verification step when logging in.

Enable 2FA

  1. Go to Settings > Security > Two-Factor Authentication.
  2. Click Enable 2FA.
  3. Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password, etc.).
  4. Enter the 6-digit code to confirm.
  5. Save your recovery codes in a secure location. Each code can be used once if you lose access to your authenticator.

2FA for Your Team

Admins and Owners can require 2FA for all team members:

  1. Go to Settings > Security > Enforce 2FA.
  2. Toggle on. Team members without 2FA will be prompted to set it up on their next login.

API Keys

API keys allow programmatic access to the Affilync API. Only Owners and Admins can manage keys.

Create an API Key

  1. Go to Settings > Security > API Keys.
  2. Click Generate New Key.
  3. Enter a label (e.g., "Production Backend") and configure optional controls:
ControlPurpose
IP allowlistRestrict the key to specific IP addresses or CIDR ranges. Requests from any other IP are rejected.
ExpirationSet an optional expiry date after which the key stops working. Omit for a non-expiring key.
Rate limitMaximum requests per hour for the key.
  1. Click Create. The key is displayed once -- copy it immediately.
Access model

A personal API key inherits your account's access -- it can call the same endpoints your account is entitled to (subject to your subscription tier). API keys are validated on key status, expiry, and IP allowlist; Affilync does not apply separate per-resource permission scopes to personal API keys. To limit exposure, use the IP allowlist and rotate keys regularly.

Revoke a Key

  1. Go to Settings > Security > API Keys.
  2. Click Revoke next to the key.
  3. Confirm. The key stops working immediately.

Session Management

View and control active sessions under Settings > Security > Sessions:

ColumnDescription
DeviceBrowser and OS (e.g., Chrome on macOS)
IP AddressWhere the session originated
LocationCity and country (approximate)
Last ActiveWhen the session was last used
StatusCurrent or expired

Click Revoke to end any session. Use Revoke All Others to sign out everywhere except your current session.

Password Policy

  • Minimum 8 characters.
  • Recommended to include uppercase, lowercase, number, and special character for stronger security.
  • Passwords are checked against common password lists.
  • Change your password at Settings > Security > Change Password.

Login Notifications

Receive an email alert when your account is accessed from a new device or location. Enabled by default -- manage under Settings > Notifications > Security Alerts.

Data Handling

  • All data is encrypted in transit and at rest using industry-standard encryption.
  • Passwords are securely hashed -- we never store your password in plain text.
  • PII is stored in compliance with GDPR and CCPA.
  • Request a data export or account deletion at Settings > Privacy.

Account Protection

  • Short-lived sessions: Access tokens expire automatically and refresh securely in the background.
  • Cross-site request protection: All sensitive actions are protected against cross-site request forgery.
  • Session management: Each login creates a unique session you can review and revoke at any time under Settings > Security > Active Sessions.

Next Steps