Account & Security

How you sign in to Hiveship, how to add two-factor authentication, and how sessions, password resets, and account recovery work. For the full security posture (encryption, data residency, subprocessors), see the Security page.

Signing in

There are three ways into your account:

  • Email and password. A password you set, hashed with bcrypt and never stored in plaintext.
  • Google. OAuth sign-in with your Google account.
  • GitHub. OAuth sign-in with your GitHub account.

Whichever method you use, the session lives in HttpOnly, Secure cookies rather than local storage, so a script running on the page can never read your token.

Two-factor authentication

Hiveship supports time-based one-time passcodes (TOTP, RFC 6238) from any authenticator app such as 1Password, Authy, or Google Authenticator. Two-factor auth is optional for everyone and can be required for admin accounts.

Turning it on

  1. Open Account → Security from your user menu.
  2. Scan the QR code with your authenticator app, or type the setup key in by hand.
  3. Enter the 6-digit code your app shows to confirm the two clocks agree.
  4. Save your backup recovery codes. You get ten single-use codes, shown once. Keep them somewhere safe (a password manager is ideal); each one signs you in if you lose your authenticator.

From then on, signing in asks for your password and then a code. The single code field accepts either a 6-digit passcode or one of your xxxx-xxxx backup codes.

Managing or turning it off

The same Account → Security screen lets you regenerate your backup codes, which retires the old set. You can also disable 2FA there by confirming your password or a backup code; admin accounts that are required to keep 2FA on cannot turn it off. Authenticator seeds are encrypted at rest with AES-256-GCM under a dedicated key, so a database read alone never exposes a usable secret.

If you lose your authenticator

  1. Use a backup code at the sign-in prompt. Each code works once.
  2. Contact Hiveship support to reset it. A Hiveship administrator can clear your 2FA and revoke your active sessions, which lets you enrol again from scratch.

Sessions

A session is a short-lived access token (15 minutes) plus a refresh token that lasts one day, or 30 days when you check keep me logged in. Refresh tokens rotate on every use, and Hiveship tracks token families, so a stolen token that gets replayed invalidates the whole family instead of granting access.

Repeated failed sign-ins (a wrong password or a wrong code) lock the account for a short cool-off, and every failed attempt is written to the audit log.

Resetting your password

Forgot your password? Request a reset from the login page. We email a one-time link (stored only as a SHA-256 hash, so the database never holds a usable link) that lets you set a new one. Completing a reset signs you out everywhere else. Accounts created through Google or GitHub have no password to reset; they can claim one through the same flow, and afterward either method works.

Your data

You can export your workspace's issues, projects, and comments at any time through the REST API with a personal access token. Deleting a workspace permanently removes its content. For data rights and retention, see the Privacy Policy.