> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dmly.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Secure your account

> Turn on two-factor authentication, control who can do what in your workspace, and understand what DMLY protects and what it doesn't.

DMLY's account security rests on three things: each person's own password and two-factor
authentication, the role you give them in the workspace, and the fact that the most
destructive actions are restricted to the workspace owner. There is no separate security
dashboard beyond that — this page is an honest account of what exists.

## Turn on two-factor authentication

Two-factor authentication lives on each person's own profile, not in workspace settings.
It is per user: you turn it on for your own login, and each team member turns it on for
theirs.

<Steps>
  <Step title="Open your profile">
    Open **Edit profile** from your account menu.
  </Step>

  <Step title="Set up two-factor authentication">
    Find the **Two-factor authentication** section and follow the setup there.
  </Step>
</Steps>

The same page is where you change your password, your name and email, your language and
timezone, and where you can delete your own account. See [Your profile](/account/profile).

<Note>
  Two-factor authentication starts switched off — you have to enable it yourself. Until you
  do, the section shows a red **Disabled** badge and an **Enable** button.
</Note>

<Warning>
  DMLY has no workspace-wide setting that forces every member to use two-factor
  authentication, and no admin can turn it on for someone else. If you want it across your
  team, ask each person to switch it on and check with them.
</Warning>

## Control who can do what

The strongest lever you have is roles. Everyone who logs in has a base role of **Admin**,
**Member**, or **Viewer**, and you can build custom roles that grant an exact set of
permissions.

Two boundaries are worth knowing:

* **Workspace Settings is admin-only.** Members and Viewers cannot reach **Settings**,
  **Team Members**, **Billing**, or **Receipts** at all — not by clicking, and not by
  typing the URL.
* **Security is owner-only.** Only the workspace owner sees the **Security** page.

Permissions are enforced on the server, not just hidden in the sidebar, so a member who
knows a URL still can't use a feature they lack permission for.

<Columns cols={2}>
  <Card title="Team members" icon="users" href="/account/team-members">
    Invite people, set their base role, and remove access when someone leaves.
  </Card>

  <Card title="Roles and permissions" icon="user-shield" href="/account/roles-and-permissions">
    Build a custom role with exactly the permissions you want to grant.
  </Card>
</Columns>

<Tip>
  Removing someone's access is a team-members task, not a security-page task. When a person
  leaves, remove them from **Team Members** — that is what cuts off their access to the
  workspace.
</Tip>

## The Security page

**Workspace Settings → Security** contains one thing: deleting the workspace. It is visible
only to the workspace owner.

<Warning>
  **Deleting this workspace will delete all data.** Deletion is permanent, and any active
  subscription is cancelled immediately. You have to type the workspace name to confirm.
  There is no undo and no export step built into the flow — take what you need out first.
  See [Exporting reports](/analytics/exporting-reports) and
  [Contact data and privacy](/contacts/data-and-privacy).
</Warning>

If what you actually want is to stop paying, cancel the subscription instead — that is
reversible and leaves your data alone. See [Cancelling](/billing/cancelling).

## What DMLY does not have

Saying this plainly is more useful than implying protection that isn't there:

* **No session management.** You cannot see which devices are signed in, and you cannot
  sign another device out remotely. Changing a password is your blunt instrument.
* **No audit log.** There is no record you can browse of who changed what, when.
* **No IP allowlist** and no login-location restrictions.
* **No ownership transfer.** A workspace owner cannot hand the workspace to someone else
  from workspace settings. {/* TODO(verify): document the supported route for changing a workspace owner — it exists only outside the tenant UI. */}

<Accordion title="Where API keys live">
  A workspace API key is a credential — treat it like a password and never paste it into a
  chat or a public page. Keys are minted from **Integrations**, not from the Security page.
  See [API authentication](/api-reference/authentication).
</Accordion>
