Turn on two-factor authentication
Two-factor authentication lives on each person’s own profile, not in workspace settings. It is per user: you turn it on for your own login, and each team member turns it on for theirs.1
Open your profile
Open Edit profile from your account menu.
2
Set up two-factor authentication
Find the Two-factor authentication section and follow the setup there.
Two-factor authentication starts switched off — you have to enable it yourself. Until you
do, the section shows a red Disabled badge and an Enable button.
Control who can do what
The strongest lever you have is roles. Everyone who logs in has a base role of Admin, Member, or Viewer, and you can build custom roles that grant an exact set of permissions. Two boundaries are worth knowing:- Workspace Settings is admin-only. Members and Viewers cannot reach Settings, Team Members, Billing, or Receipts at all — not by clicking, and not by typing the URL.
- Security is owner-only. Only the workspace owner sees the Security page.
Team members
Invite people, set their base role, and remove access when someone leaves.
Roles and permissions
Build a custom role with exactly the permissions you want to grant.
The Security page
Workspace Settings → Security contains one thing: deleting the workspace. It is visible only to the workspace owner. If what you actually want is to stop paying, cancel the subscription instead — that is reversible and leaves your data alone. See Cancelling.What DMLY does not have
Saying this plainly is more useful than implying protection that isn’t there:- No session management. You cannot see which devices are signed in, and you cannot sign another device out remotely. Changing a password is your blunt instrument.
- No audit log. There is no record you can browse of who changed what, when.
- No IP allowlist and no login-location restrictions.
- No ownership transfer. A workspace owner cannot hand the workspace to someone else from workspace settings.
Where API keys live
Where API keys live
A workspace API key is a credential — treat it like a password and never paste it into a
chat or a public page. Keys are minted from Integrations, not from the Security page.
See API authentication.

