Authentication

Login, registration, OAuth, and two-factor authentication.

Registration

Users register at /register with the following details:

  • Username (3-20 characters, alphanumeric + underscores)
  • Email address
  • Password (8+ characters)
  • Cloudflare Turnstile CAPTCHA

After registration, you'll receive a verification email with a 6-digit code valid for 10 minutes.

Login

Standard login at /login with email + password. Failed attempts are tracked and locked after 5 failures for security.

Two-Factor Authentication (2FA)

After login, if 2FA is enabled, you must enter a 6-digit code sent to your email. Codes expire after 5 minutes.

1

Go to Profile → Security

Open your account security settings

2

Click "Enable Two-Factor Authentication"

Start the 2FA setup process

3

Enter the code sent to your email

Verify your email to complete setup

4

Save your recovery codes

Store them securely for emergency access

Recovery Codes

When 2FA is enabled, 10 recovery codes are generated. Each can be used once to bypass 2FA. Store them in a safe place.

OAuth Login

Discord

1

Click "Login with Discord"

Choose Discord as your login method

2

Authorize the app on Discord

Grant permission to access your Discord profile

3

Account is linked automatically

Your account is created or linked

Google

1

Click "Login with Google"

Choose Google as your login method

2

Select your Google account

Choose which Google account to use

3

Account is linked automatically

Your account is created or linked

OAuth accounts are linked to existing accounts if the email matches. Otherwise, a new account is created automatically.

Remember Me

The "Remember Me" checkbox extends the session to 30 days instead of the default 30-minute inactivity timeout.

Device Management

You can view and revoke active sessions from Profile → Security. Each session shows:

  • Device and browser information
  • IP address and location
  • Last activity time
  • Session type (regular, 2FA, OAuth)

Security tip: Revoke any sessions you don't recognize immediately. This will log out that device.

API Endpoints

EndpointMethodDescription
/loginGET/POSTLogin page
/registerGET/POSTRegistration page
/verify-emailGET/POSTEmail verification
/verify-2faGET/POST2FA verification
/login/discordGETDiscord OAuth login
/login/googleGETGoogle OAuth login
/logoutGETLogout
/forgot-passwordGET/POSTPassword reset request
/reset-password/<token>GET/POSTPassword reset