# Security Settings

## Two-Factor Authentication

Two-factor authentication (2FA) adds an extra layer of security to your account using a time-based one-time password (TOTP) from an authenticator app.

> 2FA may not be available on all instances. It is an optional feature that the administrator enables.

### Setting Up 2FA

1. Go to **Settings > Security**
2. Click **Enable Two-Factor Authentication**
3. Scan the QR code with your authenticator app (e.g., Google Authenticator, Authy, 1Password)
4. Enter the 6-digit code from your app to confirm setup

### Recovery Codes

After enabling 2FA, you'll receive recovery codes. Save these in a secure location — they allow you to log in if you lose access to your authenticator app.

- Each recovery code can only be used once
- Click **Regenerate Recovery Codes** to create a fresh set (this invalidates the old ones)

### Disabling 2FA

1. Go to **Settings > Security**
2. Click **Disable Two-Factor Authentication**
3. Enter your password to confirm

## API Tokens

API tokens let you authenticate with the RankWiz API for programmatic access.

> API tokens may not be available on all instances. It is an optional feature that the administrator enables.

### Creating a Token

1. Go to **Settings > API Tokens**
2. Enter a **name** for the token (e.g., "CI Pipeline" or "Monitoring Script")
3. Select **permissions**: read, write, and/or delete
4. Optionally set an **expiration date**
5. Click **Create**

The token is displayed once — copy it immediately. You will not be able to see it again.

### Using a Token

Include the token in the `Authorization` header of your API requests:

```
Authorization: Bearer your-token-here
```

### Revoking a Token

1. Go to **Settings > API Tokens**
2. Find the token in the list
3. Click **Revoke**

The token is immediately invalidated. Any requests using it will be rejected.