Security
Protect your Affilync account with two-factor authentication, secure API keys, and session controls.
Two-Factor Authentication (2FA)
2FA adds a second verification step when logging in.
Enable 2FA
- Go to Settings > Security > Two-Factor Authentication.
- Click Enable 2FA.
- Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password, etc.).
- Enter the 6-digit code to confirm.
- Save your recovery codes in a secure location. Each code can be used once if you lose access to your authenticator.
2FA for Your Team
Admins and Owners can require 2FA for all team members:
- Go to Settings > Security > Enforce 2FA.
- Toggle on. Team members without 2FA will be prompted to set it up on their next login.
API Keys
API keys allow programmatic access to the Affilync API. Only Owners and Admins can manage keys.
Create an API Key
- Go to Settings > Security > API Keys.
- Click Generate New Key.
- Enter a label (e.g., "Production Backend") and configure optional controls:
| Control | Purpose |
|---|---|
| IP allowlist | Restrict the key to specific IP addresses or CIDR ranges. Requests from any other IP are rejected. |
| Expiration | Set an optional expiry date after which the key stops working. Omit for a non-expiring key. |
| Rate limit | Maximum requests per hour for the key. |
- Click Create. The key is displayed once -- copy it immediately.
A personal API key inherits your account's access -- it can call the same endpoints your account is entitled to (subject to your subscription tier). API keys are validated on key status, expiry, and IP allowlist; Affilync does not apply separate per-resource permission scopes to personal API keys. To limit exposure, use the IP allowlist and rotate keys regularly.
Revoke a Key
- Go to Settings > Security > API Keys.
- Click Revoke next to the key.
- Confirm. The key stops working immediately.
Session Management
View and control active sessions under Settings > Security > Sessions:
| Column | Description |
|---|---|
| Device | Browser and OS (e.g., Chrome on macOS) |
| IP Address | Where the session originated |
| Location | City and country (approximate) |
| Last Active | When the session was last used |
| Status | Current or expired |
Click Revoke to end any session. Use Revoke All Others to sign out everywhere except your current session.
Password Policy
- Minimum 8 characters.
- Recommended to include uppercase, lowercase, number, and special character for stronger security.
- Passwords are checked against common password lists.
- Change your password at Settings > Security > Change Password.
Login Notifications
Receive an email alert when your account is accessed from a new device or location. Enabled by default -- manage under Settings > Notifications > Security Alerts.
Data Handling
- All data is encrypted in transit and at rest using industry-standard encryption.
- Passwords are securely hashed -- we never store your password in plain text.
- PII is stored in compliance with GDPR and CCPA.
- Request a data export or account deletion at Settings > Privacy.
Account Protection
- Short-lived sessions: Access tokens expire automatically and refresh securely in the background.
- Cross-site request protection: All sensitive actions are protected against cross-site request forgery.
- Session management: Each login creates a unique session you can review and revoke at any time under Settings > Security > Active Sessions.