Account Security

StratBase.ai implements multiple security layers to protect your account and data.

All sensitive operations require a 6-digit verification code:

| Operation | Code Sent To | |-----------|-------------| | Change password | Email | | Change email (step 1) | Telegram (if linked) or email | | Change email (step 3) | New email | | Unlink Telegram | Email | | Request affiliate payout | Email | | Delete account | Email |

Code properties:

• 6-digit numeric format
• Expires in 10–15 minutes
• Maximum 5 attempts per code
• Stored as SHA-256 hash (never in plain text)

If you receive a password-change confirmation email and didn't initiate it:

1. Click the "This wasn't me" link in the email
2. This sends a JWT-based lock request
3. Your account is immediately locked
4. All active sessions are invalidated
5. Contact support to recover

When locked:

• All API requests return 403 Forbidden
• No logins possible
• Data is preserved but inaccessible

Sessions are automatically invalidated when:

| Event | Effect | |-------|--------| | Password change | All JWT tokens issued before password_changed_at are rejected | | Account lock | user.locked = true → all requests rejected | | Email change | Sessions remain valid (email change requires verification) |

The system compares password_changed_at with the JWT iat (issued at) claim. If password_changed_at > iat, the token is rejected.

| Action | Cooldown | |--------|----------| | After password change | 24h — no affiliate payouts | | After email change | 24h — no affiliate payouts | | After password/email change | 7 days — no username change | | After username change | 7 days — no username change | | After ref code change | 30 days — no ref code change |

• Google OAuth — uses Google's secure authentication
• Telegram OAuth — uses Telegram's login widget
• OAuth accounts don't have a platform password by default
• You can set a password via "Forgot Password" flow

1. Use a strong password — at least 8 characters, mix of letters, numbers, and symbols
2. Connect Telegram — adds a second verification channel for email changes
3. Don't share verification codes — they're single-use and private
4. Check "This wasn't me" emails — act immediately if you didn't request a change
5. Keep your email updated — it's the primary recovery method

Q: My account is locked — what do I do? A: Contact support at support@stratbase.ai with proof of account ownership.

Q: Can I enable 2FA/MFA? A: Traditional 2FA (TOTP) is not yet available. Verification codes serve as a second factor for sensitive operations.

Q: How do I check active sessions? A: Currently, there's no session list. Changing your password invalidates all sessions.

• Changing Password & Email
• Account Recovery
• Connecting Telegram