Sign-in methods

• Email + password (with optional TOTP MFA)
• Magic link (one-time URL sent to your email)
• OAuth: Google, GitHub, Microsoft
• SSO: SAML 2.0 for Enterprise customers (configure via Settings → Organization → SSO)

API authentication

Programmatic access uses Bearer tokens. Create one in Settings → API Keys; the value is shown once and stored as a salted hash. Tokens are scoped: read-only, read-write, billing-only, or per-module. Rotate regularly; revoked tokens stop working within 60 seconds (cache TTL).

Session lifetime

Web sessions last 30 days with refresh; mobile sessions can be longer. Sessions are tied to device fingerprint plus IP range. If you sign in from a new country, you receive an email notification and may be asked for MFA even if normally not required.

Lost access

Password reset goes through the email on file. If you have lost both the password and access to the email, contact support@torun.ai from a verifiable identity (e.g., the email of an organization admin who can vouch for you).