Account & Teams

Login & Account Security

Sitequest uses passwordless authentication. Instead of remembering a password, you sign in with a passkey, a magic link, or an external account. This guide covers each method, how sessions work, and how to manage your account.

Passkeys

Passkeys are cryptographic credentials stored on your device or in a password manager. They replace passwords entirely.

How they work

When you register a passkey, your device generates a key pair. The private key stays on your device; the public key is stored on Sitequest. During sign-in, your device proves it holds the private key without ever sending it over the network.

Benefits

  • Phishing-resistant — passkeys are bound to the site they were created for. They cannot be reused on a lookalike domain.
  • No shared secrets — there is no password stored on the server that could be leaked in a breach.
  • Fast — sign in with a fingerprint, face scan, or device PIN. No typing required.
  • Cross-device — passkeys stored in iCloud Keychain, Google Password Manager, or a password manager like 1Password sync across your devices automatically.

Managing passkeys

Go to Settings > Security > Passkeys in the dashboard. You can:

  • Register a new passkey (you can have multiple)
  • Name each passkey for easy identification
  • Delete passkeys you no longer use

If you remove your last passkey, make sure you have another sign-in method available (connected OAuth account or magic link via email).

Magic links

Magic links let you sign in by clicking a link sent to your email address. No password, no app, no code to copy.

How they work

  1. Enter your email on the sign-in page
  2. Sitequest sends a one-time link to your inbox
  3. Click the link to sign in

Each link expires after a short time and can only be used once.

Why they are secure

  • One-time use — each link is a single-use token. Once clicked, it is invalidated immediately.
  • Time-limited — links expire after a few minutes. A forgotten link in your inbox cannot be used later.
  • No stored credentials — there is no password to guess, brute-force, or leak.
  • Email-bound — only someone with access to your email inbox can use the link.

Magic links are always available as a sign-in method as long as you have a verified email address on your account.

OAuth providers

You can connect your Google or GitHub account to sign in with a single click.

How it works

  1. Go to Settings > Security > Connected Accounts
  2. Click Connect next to Google or GitHub
  3. Authorize Sitequest in the provider's consent screen

After connecting, you can sign in using the Continue with Google or Continue with GitHub button on the sign-in page.

Managing connected accounts

  • You can connect both Google and GitHub simultaneously
  • To disconnect a provider, click Disconnect next to it in the Connected Accounts section
  • You cannot disconnect a provider if it is your only sign-in method — register a passkey or ensure you have access to magic links first

Session management

Each sign-in creates a session. You can view and manage all active sessions from Settings > Security > Sessions.

What you can see

  • Device name and browser
  • IP address
  • When the session was created
  • Which session belongs to your current device

Revoking sessions

If you see an unfamiliar session or want to sign out of a device remotely, click on the session and choose Revoke. The session ends immediately and that device will need to sign in again.

Your current session cannot be revoked from this view — use the sign-out button instead.

Changing your email address

Your email address is used for magic link sign-in, notifications, and billing.

To change it:

  1. Go to Settings > Profile
  2. Click the edit icon next to your email
  3. Enter your new email address
  4. Hold the confirmation button for 3 seconds

A verification link is sent to your new address. Your email does not change until you click that link. If you do not confirm, your original email stays active.

Deleting your account

You can permanently delete your account from Settings > Security > Delete Account.

How it works

  1. Type the confirmation phrase shown on screen
  2. Hold the confirmation button for 5 seconds
  3. Account deletion is scheduled with a grace period

Grace period

A minimum 30-day grace period applies. If you have active subscriptions, the grace period extends until your last subscription expires. This ensures you are not charged after deletion and your services run until the end of their billing cycle.

Cancelling deletion

During the grace period, you can cancel the scheduled deletion at any time from the same page. A banner at the top of the Security settings page shows the scheduled deletion date and remaining days.

What gets deleted

When the grace period ends, your account and all associated data are permanently removed. This includes servers, domains, billing history, API keys, and team memberships. This action cannot be undone.