Admin Portal User Guide
Everything you need to register, log in, and use the dashboard โ managing origins, issuing API tokens, and tuning rate limits for your sites.
What is the Admin Portal?
The admin portal is a web dashboard built into the OTP API, available at /dashboard. It gives you a point-and-click interface to manage every aspect of your 2FA integration โ no database access or server commands required.
Register the domains your app runs on. Each origin you add is immediately allowed to make API calls. Enable, disable, or remove origins at any time.
Create the Bearer tokens that your app uses to authenticate API calls. Name them, revoke them when needed, and create replacements โ all from one screen.
Tune how aggressively the API rate-limits requests from each of your origins. Set tighter limits for sensitive endpoints or loosen them for high-traffic apps.
See at a glance how many origins you have, how many users are enrolled in 2FA, and how many active tokens are in use โ all scoped to your account.
Creating an Account
Click the button below or open /dashboard/register in your browser. Fill in three fields and click Create Account โ you'll be logged in and taken to the dashboard automatically.
| Field | Rules |
|---|---|
| Full Name | Your display name. Shown in the dashboard sidebar. |
| Must be a valid email address. Used to log in. Must be unique on this server. | |
| Password | Minimum 8 characters, maximum 128. Choose something strong โ this protects all your origins and tokens. |
Logging In
Click the button below or open /dashboard/login in your browser. Enter your email and password โ after signing in you are redirected to the dashboard. Your session lasts 8 hours.
- You land on the Overview page
- Your name and email appear in the sidebar footer
- Your origins are listed in the sidebar under My Origins
- Click Sign out in the sidebar to end your session
- Your session expired โ sign in again
- You tried to access a page that requires a session
- If the problem persists, clear your cookies and try again
Overview Page
The Overview is the first page you see after logging in. It shows a summary of your account and a list of all your origins at a glance.
| Counter | What it means |
|---|---|
| Origins | How many origins you currently own. |
| Total Users | The total number of user accounts across all your origins who have started or completed 2FA setup. |
| 2FA Enabled | Users who have fully completed setup and have 2FA active on their account. |
| Active Tokens | API tokens that are currently active and can authenticate API calls. |
Below the stats is a table of all your origins. Click Manage โ on any row to open that origin's detail page, or use the sidebar links under My Origins.
Managing Origins
An origin is the full address of a website โ including its protocol โ that you want to allow to use the OTP API. For example: https://myapp.com or http://localhost:3000.
When you add an origin it is immediately added to the allowed list. API calls from that domain will be accepted. When you disable an origin, calls from it are blocked instantly โ no data is deleted.
โ Adding an origin
https://myapp.com ยท https://staging.myapp.com ยท http://localhost:3000
https://app.mysite.com and https://mysite.com are two separate origins and need to be registered separately. Ports also matter โ https://myapp.com and https://myapp.com:8443 are different origins.
Origin actions
Click an origin in the sidebar to open its detail page. The header bar shows the current status and three action buttons.
| Action | What it does | Reversible? |
|---|---|---|
| โธ Disable | Immediately blocks all API requests from this origin. Returns 403 Forbidden to callers. All user data and tokens are kept intact. |
Yes โ click Enable |
| โถ Enable | Re-activates a disabled origin. API calls are accepted again immediately. | Yes |
| ๐ Remove | Disables the origin and removes it from your account. Users and tokens are not deleted from the database โ only your ownership is released. | Partially โ another admin can reclaim it |
API Tokens
API tokens are what your application uses to authenticate every call to the OTP API. Each token belongs to one origin and is only valid when requests come from that origin. They are managed from the API Tokens tab inside each origin's detail page.
โ Creating a token
OTP_API_TOKEN=abc123...Pass it server-side to the widget's
api-token attribute. Never hard-code it in public HTML or client JavaScript.
Token actions
| Action | What it does | Reversible? |
|---|---|---|
| Revoke | Soft-disables the token. It stops accepting API calls within about 15 seconds. The token row stays in the dashboard so you can re-activate it later. | Yes โ click Activate |
| Activate | Re-enables a previously revoked token. | Yes |
| Delete | Permanently removes the token from the database. Cannot be undone. Create a new token if you need to replace it. | No |
DDoS Config
The DDoS Config tab inside each origin's detail page lets you override the server's global rate-limit settings for that origin specifically. This is useful when one of your apps has higher legitimate traffic than the defaults allow, or when you want tighter limits on a sensitive endpoint.
Each origin has four independent layers you can configure. Layers marked default are using the server's global settings. Layers you've changed show a override badge.
The four layers
Covers all routes. The broadest limit โ a per-IP ceiling on the total number of requests in a time window.
Covers all /auth/* routes. A stricter limit specific to authentication endpoints.
Covers the code-verify and disable endpoints only. The tightest limit โ designed to stop brute-force attacks on 6-digit codes.
Instead of blocking, adds a growing delay to each request after a threshold. Degrades bot performance without hard-blocking real users.
What you can change
| Setting | What it controls |
|---|---|
| Enabled | Toggle to turn a layer completely on or off for this origin. |
| Window (min) | The rolling time window in minutes. Requests older than this are not counted towards the limit. |
| Max requests | How many requests are allowed per IP within the window before a 429 Too Many Requests is returned. |
| Delay after (slowdown only) | How many free requests are allowed before delays start being added. |
| Delay (ms) (slowdown only) | Milliseconds added to each request beyond the free threshold. |
| Max delay (ms) (slowdown only) | The maximum total delay that can be added โ the ceiling. |
FAQ
Yes. Add as many origins as you need โ production, staging, local development โ they all appear in your sidebar. Each has its own tokens and rate-limit config.
No, one origin can only be owned by one admin at a time. To transfer ownership, the current owner removes it from their account and the new owner adds it to theirs.
Delete the lost token and create a new one. Tokens are shown once at creation and cannot be recovered. Update the token value in your app โ your users' 2FA setup is not affected.
Within about 15 seconds. There is a short in-memory cache to reduce database load. After the cache expires, any request using the revoked token is rejected.
No. Disabling an origin blocks new API calls from that domain, but all user accounts, secrets, and tokens remain in the database. Re-enabling the origin restores full access immediately.
Yes. Each origin is a completely separate namespace. [email protected] on https://app1.com and