Account & profile

Manage your name, email, avatar, password, and active sessions.

Profile

POST /api/account/update-profile updates:

• Name
• Email (re-verification required if changed)
• Avatar (uploaded to /uploads/, stored as a hashed filename)

Form lives in Account → Profile.

Password change

POST /api/account/change-password with current + new + confirm. The current password is required.

After change, all other sessions are invalidated. You stay logged in on this device.

Sessions

GET /api/account/sessions lists all active sessions for your account:

[
  { "sid": "…", "ip": "…", "user_agent": "…",
    "last_seen": "2026-04-25T18:00Z", "current": true }
]

POST /api/account/sessions/<sid>/revoke terminates that session immediately. Revoke all kills every session except the current.

Use this when you've logged in on a public computer, or when you suspect account compromise.

Avatar upload

JPG / PNG / WebP, max 2 MB, max 1024×1024. Resized server-side to 256×256 thumbnail.

Why no SSO yet

Single sign-on (SAML, OIDC) is on the roadmap. Until then, MFA is the recommended baseline for team-shared accounts.

Linked accounts

(Roadmap.) Coming: link your account to GitHub, GitLab, Google for one-click integrations.