Two-factor authentication (MFA)
TOTP and backup codes on SlugBase Cloud: setup on Profile, sign-in step-up at slugbase.app/app, recovery, and how API tokens behave.
Cloud vs self-hosted: MFA behavior is implemented in the shared core app. This page calls out Cloud-specific URLs and support paths. For the full feature walkthrough, see Two-factor authentication (self-hosted).
Where it applies
On SlugBase Cloud, the web app lives under /app (for example https://slugbase.app/app/profile for Profile and https://slugbase.app/app/mfa for the MFA challenge after login). OIDC and email/password flows both respect MFA when it is enabled on your user.
Email verification still runs before you get a full session: Cloud requires a verified email where that policy applies; MFA is the second step after a successful first factor.
Setup, backup codes, API tokens
Setup, backup codes, regenerating codes, disabling MFA, and the sb_ API token model (tokens do not require interactive MFA) are the same as on self-hosted. Follow the steps in Two-factor authentication (self-hosted)—the UI labels match the core product.
The issuer name shown in your authenticator app may be set for the hosted product (for example SlugBase Cloud). Your admin configures this via environment; there is no per-user issuer setting in the UI.
Recovery if you are locked out
Use backup codes when you still have them. If you have no authenticator access and no working backup codes, there is no self-service email unlock in the product.
On Cloud, use Support to reach the team. They follow an internal playbook to verify your account and reset MFA.
Related
Last updated today
Built with Documentation.AI