Two-factor authentication (MFA)
TOTP and backup codes on SlugBase Cloud: setup on Profile, sign-in step-up at slugbase.app/app, recovery, and how API tokens behave.
Cloud vs self-hosted: MFA behavior is implemented in the shared core app. This page calls out Cloud-specific URLs and support paths. For the full feature walkthrough, see Two-factor authentication (self-hosted).
Where it applies
On SlugBase Cloud, the web app lives under /app (for example https://slugbase.app/app/profile for Profile and https://slugbase.app/app/mfa for the MFA challenge after password login when MFA is enabled).
OIDC (SSO) sign-in does not add a second SlugBase TOTP step; your identity provider is expected to handle MFA. Email/password sign-in still uses SlugBase TOTP when MFA is enabled on the account (including hybrid accounts that have both password and SSO).
On Cloud, email verification happens first, then the MFA code step — so make sure your email is verified before you enable MFA.
Setup, backup codes, API tokens
Setup, backup codes, regenerating codes, disabling MFA, and the sb_ API token model (tokens do not require interactive MFA) are the same as on self-hosted. Follow the steps in Two-factor authentication (self-hosted)—the UI labels match the core product.
The issuer name shown in your authenticator app may be set for the hosted product (for example SlugBase Cloud). Your admin configures this via environment; there is no per-user issuer setting in the UI.
Recovery if you are locked out
Use backup codes when you still have them. If you have no authenticator access and no working backup codes, there is no self-service email unlock in the product.
On Cloud, use Support to reach the team. They follow an internal playbook to verify your account and reset MFA.
Related
Last updated 2 weeks ago
Built with Documentation.AI