Sign in to manage sessions

You need to be signed in to see the devices currently signed in to your account. Sign in →

Account / Security

Security

Manage your sign-in methods and active devices. Set a password to skip the magic-link request every time, or keep magic-link only — both flows always work side by side.

Password

You sign in with magic links today. Set a password to make repeat sign-ins faster — magic-link still works as a fallback.

A password is set on this account. You can sign in with email + password OR with a magic link — both methods always work.

At least 12 characters. Length beats complexity — a passphrase is fine.

Two-factor authentication

Add a second factor with any authenticator app (Google Authenticator, Authy, 1Password). After setup, signing in asks for a 6-digit code — so a leaked password alone can't get into your account.

Two-factor is on. You'll be asked for a code from your authenticator app each time you sign in.

1. Add this setup key to your authenticator app:

Open in your authenticator app (if installed on this device)

Save these backup codes somewhere safe. Each works once if you lose your authenticator. They will not be shown again.

    Active sessions

    Every device that has signed in to your OrcaTrade account. Revoke individual sessions to sign them out without touching the others. To kill every session in one click, use Sign out everywhere on your account page.

    Your current session was created before per-device controls shipped. Sign out and sign back in to get a session ID; once you do, every future device will appear here with full revoke controls.
    No active sessions found. (This usually means you signed in before per-device tracking shipped — sign out and sign back in to populate this list.)
    Per-session revocation invalidates the cookie on the next request, on every endpoint that handles sensitive data. Lower-stakes endpoints (read-only plan generation, public marketing pages) accept the cookie until the user logs out via Sign out or the cookie's natural 30-day expiry — by design, so a slow KV outage can't lock a user out of the site.