Docs·Web App·Account

Verify email & sign-in

Email verification, password setup, forgot-password flow, two-factor authentication. Security primitives every account needs before connecting an exchange API or arming push alerts.

Email verification + password hygiene + 2FA (when enabled) are the security floor for any account. The platform forces email verification before you can:

  • Connect an exchange API (to prevent stolen-account → API-key planting attacks).
  • Arm a Telegram bot push (to prevent unauthorised destination linking).
  • Withdraw points / redemption rewards (where applicable).

The trading workflow itself works without verification, but you'll see a banner reminding you that several features are gated.

Email verification card

First sign-up

  1. Enter email + password.
  2. Verification mail goes out within ~10 seconds (check spam).
  3. Click the link in the mail; you land back on the platform signed-in.
  4. Email shows as Verified on the Account page.

If the mail doesn't arrive:

  • Check spam.
  • Click Resend verification on the Account card.
  • After 3 resends within 1 hour, the system rate-limits resends for 24h to prevent abuse.

Change email

  1. On the Account → Profile card, click Edit next to Email.
  2. Enter the new email.
  3. A verification mail goes to the new address.
  4. Your old email gets a notification "Email change requested" with a 24-hour revocation link in case it wasn't you.
  5. Click the link in the new mail; email updates.

Until the new email is verified, you can still sign in with the old one. Once verified, the old email loses sign-in access.

Forgot password

  1. On the sign-in page, click Forgot password.
  2. Enter your email.
  3. A reset mail goes out.
  4. Click the link → set a new password (must be ≥ 8 chars with at least one number).
  5. All other sessions get signed out as a security measure.

Two-factor (2FA)

If 2FA is enabled on your account (recommended), each sign-in requires:

  1. Email + password.
  2. A 6-digit TOTP code from an authenticator app (Google Authenticator, Authy, 1Password).

Enable from Account → Security → Set up 2FA. The flow:

  1. Scan the QR code into your authenticator.
  2. Enter the 6-digit code from the app to confirm.
  3. Save the recovery codes (10 one-use codes) somewhere safe — your only fallback if you lose the authenticator.

Lost 2FA + lost recovery codes

If both are gone, contact support ([email protected]) with proof of ownership. Manual reset takes 24-72 hours and requires confirming personal details + recent invoice numbers.

Sign-out

  • Sign out current session — avatar dropdown → Sign out.
  • Sign out all sessions — Account → Security → Sign out everywhere. Useful if you suspect a session was leaked.

Common pitfalls

  • Verification mail in spam — happens for Gmail / Outlook addresses on new domains. Mark as not-spam after the first one arrives.
  • Forgot password sends but link doesn't work — the link is one-use; clicking it twice or in a different browser may fail. Request a new one.
  • 2FA enabled then phone wipe — recovery codes are the only way out. Treat them like a private key.

What's next