Account Security
This section covers how to secure your Linkzly account: setting up two-factor authentication, managing your password and active sessions, reviewing account acti
Account Security
This section covers how to secure your Linkzly account: setting up two-factor authentication, managing your password and active sessions, reviewing account activity, and understanding the security policies that protect your data.
Account security features are spread across three pages in the left sidebar, all grouped under the System section.
Navigation
| Sidebar label | Page title | URL | What it covers |
|---|---|---|---|
| 2FA Setup | Two-Factor Authentication | /dashboard/2fa |
Enable, configure, and disable two-factor authentication |
| Settings | Account Settings | /dashboard/settings |
Password, email, sessions, preferences, and account deletion |
| Activity Logs | Activity Logs | /dashboard/activity-logs |
Audit trail of all significant actions in your organization |
Two-Factor Authentication
Two-factor authentication (2FA) adds a second layer of protection to your account. Even if someone learns your password, they cannot log in without the second factor from your device.
To manage 2FA, click 2FA Setup in the left sidebar under System.
Setting up 2FA
- On the Two-Factor Authentication page, click Set Up 2FA.
- A QR code (200 x 200 px) appears.
- Open your authenticator app and scan the QR code.
- If your app does not support QR scanning, click the manual entry option to reveal your secret key as text.
- Your app will display a 6-digit code that refreshes every 30 seconds.
- Enter the current 6-digit code in the verification field.
- Click Verify.
After verification succeeds, your backup codes are displayed immediately.
Supported authenticator apps
Any app that supports TOTP (time-based one-time passwords) will work. Common choices include:
- Google Authenticator
- Authy
- 1Password
- Microsoft Authenticator
- Any other TOTP-compatible app
Backup codes
After enabling 2FA, Linkzly generates 10 backup codes.
- Each code is 8 characters (alphanumeric, uppercase).
- Each code is single-use โ once you use a backup code to log in, it is consumed and cannot be used again.
- The page shows a counter of how many codes you have remaining: "X codes remaining".
- Backup codes can be downloaded with the Download Codes button, or copied all at once with the Copy All button.
- Store your backup codes somewhere safe: a password manager, a printed sheet in a secure location, or an encrypted file.
To regenerate backup codes: Click Regenerate Codes on the 2FA page. A confirmation dialog will appear. After confirming, a new set of 10 codes is issued immediately and all previous codes are invalidated.
2FA status when enabled
Once 2FA is active, the page shows three status cards:
| Card | What it shows |
|---|---|
| Authenticator App | Enabled โ your TOTP app is configured |
| Email OTP | A fallback code sent to your email if you cannot reach your authenticator app |
| Trusted Devices | Devices you have previously trusted, which skip the 2FA prompt for 30 days |
Recovery options
If you cannot access your authenticator app, use one of these methods to log in:
| Method | How it works |
|---|---|
| Backup codes | Enter one of the 10 backup codes generated at setup. Each code works once. |
| Email OTP | Request a 6-digit code sent to your registered email address. The code is valid for 5 minutes. |
| Trusted device | If you previously marked this device as trusted, it will skip the 2FA prompt for 30 days from when it was marked. |
Disabling 2FA
Disabling 2FA makes your account significantly less secure. Verification is required to prevent unauthorized changes.
- On the Two-Factor Authentication page, click Disable 2FA.
- The Disable Two-Factor Authentication dialog opens.
- Enter your current password.
- Enter a valid 6-digit code from your authenticator app, or enter a backup code.
- Click Disable 2FA.
2FA is turned off immediately. The page returns to the disabled state.
Password Management
Password settings are in the Change Password card on the Account Settings page. To access it, click Settings in the left sidebar under System.
Password requirements
When setting a new password, it must meet all of the following:
- Minimum 8 characters
- At least one uppercase letter (AโZ)
- At least one lowercase letter (aโz)
- At least one number (0โ9)
- At least one special character (
!@#$%^&*(),.?":{}|<>)
The form shows an inline requirements checklist that updates in real time as you type.
Changing your password
- Go to Settings in the sidebar and find the Change Password card.
- Enter your Current Password.
- Enter your New Password. The requirements checklist will confirm each rule as you meet it.
- Enter your new password again in Confirm New Password.
- Click Update Password.
After a successful password change, all of your other sessions are automatically revoked for security. You will need to log back in on those devices with your new password.
Changing your email address
Email changes are handled in the Email Management card on the Account Settings page.
- Enter your new email address in the Email Management card.
- Enter your current password to authorize the change.
- Click Update Email.
- Linkzly sends a verification email to your new address. The link in that email is valid for 24 hours.
- Click the link in the email to confirm the change.
Until you verify the new address, your current email remains active.
Forgotten password / password reset
If you cannot log in because you have forgotten your password:
- On the login page, click Forgot Password.
- Enter your registered email address and submit the form.
- Check your email for a reset link. The link is valid for 1 hour.
- Click the link, enter a new password that meets the requirements, and save.
The password reset link is single-use. If you need another one, repeat the process from the login page.
Session Management
Active session management is in the Active Sessions card on the Account Settings page. To access it, click Settings in the left sidebar under System, then scroll to the Active Sessions section.
What is shown for each session
| Column | Description |
|---|---|
| Device | The device type and browser detected for that session |
| Location | The estimated city and country based on the session's IP address |
| Last Active | The date and time of the most recent activity for that session |
| Actions | A Revoke button, or a Current badge if it is the session you are using right now |
Revoking a single session
- Find the session you want to end in the Active Sessions card.
- Click Revoke next to it.
The device is logged out immediately. Your current session is not affected.
Revoking all other sessions
If you believe your account may have been accessed without your permission, or if you want to force all other devices to log in again after a password change:
- Click Revoke All Other Sessions at the top of the Active Sessions card.
- Confirm when prompted.
All sessions other than your current one are ended immediately. You remain logged in on the device you are using.
Account Lockout Policy
To protect against brute-force attacks, Linkzly temporarily locks your account after repeated failed login attempts.
| Setting | Value |
|---|---|
| Failed attempts before lockout | 5 |
| Lockout duration | 30 minutes |
| Release | Automatic after 30 minutes โ no manual intervention needed |
During a lockout, login attempts from any device will fail, regardless of whether the correct password is entered. Your existing active sessions continue to work normally.
After 30 minutes, the lockout is released automatically and you can attempt to log in again. The lockout event is recorded in the Activity Logs.
API Key Security
API keys allow you to authenticate programmatically with the Linkzly API. Each key uses the format:
lzly_[live|test]_[32-character identifier]
Keys are stored as SHA256 hashes โ Linkzly never stores your raw key after it is generated. When viewing your keys, only the last 4 characters are shown as a hint for identification.
For full details on creating, rotating, revoking, and setting permissions for API keys, see 15 - API Keys.
Activity Logs
The Activity Logs page is an audit trail of every significant action taken in your organization. It records who did what, when, and from where. To access it, click Activity Logs in the left sidebar under System.
Log table columns
| Column | Description |
|---|---|
| Date and time | When the action occurred |
| Action | A plain-language description of what happened (e.g., "Short link created", "Member removed") |
| Category | The product area the action belongs to (see categories below) |
| Severity | How significant the event is (see severity levels below) |
| Entity type | The type of resource that was affected (e.g., Link, Domain, API Key) |
| Affected resource | The name or ID of the specific resource |
| User | The team member who performed the action |
| IP address | The IP address the action was taken from |
| Location | The estimated city and country for that IP address |
| Device info | The browser and device used |
Categories
| Category | What it tracks |
|---|---|
| Auth | Logins, logouts, password changes, 2FA changes, account lockouts |
| Links | Creating, editing, deleting, and archiving short links |
| QR Codes | Creating, editing, and deleting QR codes |
| Domains | Adding, verifying, and removing custom domains |
| API Keys | Creating, revoking, and deleting API keys |
| Analytics | Exporting analytics data |
| Integrations | Connecting and disconnecting third-party integrations |
| Settings | Changes to organization and account settings |
| Team | Inviting, removing, and changing roles of team members |
| Billing | Subscription changes and payment events |
| App Distribution | Uploading builds and managing install links |
| Webhooks | Creating, editing, and deleting webhooks |
Severity levels
| Severity | Color | What it means |
|---|---|---|
| Info | Blue | A routine action with no risk (e.g., viewing analytics, creating a link) |
| Warning | Amber | An action worth reviewing (e.g., bulk delete, role change) |
| High | Red | A significant security or administrative action (e.g., 2FA disabled, API key revoked, member removed) |
Filtering the activity log
Use the filter controls above the table to narrow results:
- Severity โ Show only Info, Warning, or High severity events
- Date range โ Set a start and end date
- User โ Filter to actions taken by a specific team member
- Action type โ Filter by the type of action
Exporting the activity log
Click Export to download the currently filtered view in either:
- CSV โ A spreadsheet-compatible format for further analysis
- JSON โ A structured format for importing into other tools
The export includes all rows matching the current filters. Auth events are stored for 30 days in production.
Rate Limiting
Linkzly applies rate limits to protect your account and the platform. Limits are applied at multiple levels:
| Limit type | What it applies to | Example limit |
|---|---|---|
| Authentication | Login and 2FA requests per IP | 100 requests per 15 minutes |
| Password reset | Reset requests per IP | 300 attempts per hour |
| 2FA setup | Setup attempts per user | 3 attempts per hour |
| 2FA verification | Code verification attempts | 5 attempts per 5 minutes |
| Email OTP | OTP request attempts | 3 requests per hour |
| API requests | Requests per API key | 100 requests per minute (default) |
When a rate limit is reached, the request will be rejected with a 429 Too Many Requests response. The response includes headers showing your current limit, remaining requests, and when the limit resets.
Security Tips
- Enable 2FA on your account. It is the single most effective step you can take against unauthorized access.
- Save your backup codes in a secure location (a password manager or offline storage). If you lose your authenticator device and have no backup codes, account recovery will require contacting support.
- Turn on Security Alerts in your Notification Preferences. These alerts notify you of logins from new devices and password changes.
- Review your Active Sessions periodically and revoke any sessions you do not recognize.
- Use a strong, unique password that you do not reuse across other services. Linkzly enforces minimum requirements, but a longer passphrase is always better.
- Check the Activity Logs if you suspect unauthorized changes in your organization. The High severity filter makes it easy to spot critical events.
Account Deletion (Danger Zone)
The Delete Account option is in the Danger Zone card at the bottom of the Account Settings page.
Warning: Account deletion is permanent. All data โ short links, QR codes, custom domains, analytics, team members, billing history, and all other resources โ will be deleted and cannot be recovered.
Requirements before deleting
- If you are the sole Owner of any organization, you must transfer ownership to another member first.
- You must enter your current password.
- You must type DELETE in the confirmation field to confirm you understand the action is permanent.
Once all conditions are met, click Delete Account. The deletion begins immediately with no grace period or undo.
Was this helpful?
Help us improve our documentation