Account & security.
Username rules, how passwords are stored, and how login sessions actually work.
Usernames
Your username doubles as your subdomain, so it has firm rules:
- 3 to 32 characters
- Lowercase letters, numbers, and hyphens only, no spaces, no uppercase, no underscores
- Checked for availability live as you type during registration
- A set of reserved names is blocked so they can't collide with the platform's own pages, things like
www,api,admin,help,support, and similar
Usernames are permanent once registered. There's currently no way to rename one or transfer it to a different account.
Passwords
Passwords must be at least 8 characters, no other complexity rule is enforced. Behind the scenes, passwords are never stored as plain text: each one is hashed with PBKDF2-SHA256, salted with a unique random value per account, using 100,000 iterations. No API response, anywhere on the platform, ever returns a password or its hash.
Change your password from the Settings tab of your dashboard, leave the field blank to keep your current one.
Sessions
Logging in creates a random session token, stored server-side, and
sets it in a cookie marked HttpOnly, Secure,
and SameSite=Lax. That combination means the token can't
be read by page scripts (including someone else's script, if it ever
ended up running on a page you visited), only travels over encrypted
connections, and isn't sent along with most cross-site requests.
Sessions last 30 days from login. Logging out clears the cookie and invalidates the token immediately, so it can't be reused even if someone captured it earlier.
Your email is used for login and, currently, for manual account recovery if you contact support, there's no automated password-reset email flow yet. Changing your email in Settings doesn't affect your username or subdomain, they're independent.
One account, one site
In the current version, each account manages exactly one site at one subdomain. There's no concept of teams, multiple sites per account, or shared access to a site yet.