Login is protected by a pair of tokens (short-lived access + long-lived refresh). Both live in cookies with sameSite: strict — a baseline CSRF defense.
What is available
- Change password — under Profile.
- Password recovery — via the email link, requested from the sign-in screen.
- Sign out — from the profile popover in the top-right corner.
Notes
SSO and two-factor are not supported yet. Do not share cookies with anyone — that is equivalent to sharing your password.