Security
Protect your Affilync account with two-factor authentication, secure API keys, and session controls.
Two-Factor Authentication (2FA)
2FA adds a second verification step when logging in.
Enable 2FA
- Go to Settings > Security > Two-Factor Authentication.
- Click Enable 2FA.
- Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password, etc.).
- Enter the 6-digit code to confirm.
- Save your recovery codes in a secure location. Each code can be used once if you lose access to your authenticator.
2FA for Your Team
Admins and Owners can require 2FA for all team members:
- Go to Settings > Security > Enforce 2FA.
- Toggle on. Team members without 2FA will be prompted to set it up on their next login.
API Keys
API keys allow programmatic access to the Affilync API. Only Owners and Admins can manage keys.
Create an API Key
- Go to Settings > Security > API Keys.
- Click Generate New Key.
- Enter a label (e.g., "Production Backend") and select scopes:
| Scope | Access |
|---|---|
campaigns:read | List and view campaigns |
campaigns:write | Create and modify campaigns |
links:read | List and view tracking links |
links:write | Create and manage links |
analytics:read | Query analytics data |
calls:read | Access call logs and recordings |
calls:write | Manage call flows and numbers |
affiliates:read | View affiliate data |
affiliates:write | Manage affiliates |
webhooks:manage | Create and manage webhooks |
- Click Create. The key is displayed once -- copy it immediately.
Revoke a Key
- Go to Settings > Security > API Keys.
- Click Revoke next to the key.
- Confirm. The key stops working immediately.
Session Management
View and control active sessions under Settings > Security > Sessions:
| Column | Description |
|---|---|
| Device | Browser and OS (e.g., Chrome on macOS) |
| IP Address | Where the session originated |
| Location | City and country (approximate) |
| Last Active | When the session was last used |
| Status | Current or expired |
Click Revoke to end any session. Use Revoke All Others to sign out everywhere except your current session.
Password Policy
- Minimum 12 characters.
- Must include uppercase, lowercase, number, and special character.
- Passwords are checked against known breach databases.
- Change your password at Settings > Security > Change Password.
Login Notifications
Receive an email alert when your account is accessed from a new device or location. Enabled by default -- manage under Settings > Notifications > Security Alerts.
Data Handling
- All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
- Passwords are hashed with bcrypt (work factor 12).
- PII is stored in compliance with GDPR and CCPA.
- Request a data export or account deletion at Settings > Privacy.