Your account holds everything tied to you personally: profile, sign-in methods, sessions, two-factor, passkeys, API tokens, notification preferences, and language. A left sub-navigation groups these sections.
Menu: Account → Account · Route: /admin/account/profile
Sign in
- Sign in at
/login with your password or a registered passkey.
- Forgot your password? Use the reset link on the login page.
Profile
Open Profile (/admin/account/profile) to manage your basic details.
- Avatar: upload an image (JPEG, PNG, GIF, or WebP, up to 2 MB) or delete the current one.
- Email: shown read-only; it cannot be changed here.
- Change password: enter your current password, a new password (at least 8 characters), and a confirmation. A security notification is sent when it changes.
Sessions & devices
Open Sessions & devices (/admin/account/sessions) to see where you are signed in.
Each session lists the device, when you signed in, when it was last active, and which one is this device. You can revoke a single session or revoke all others at once.
Two-factor authentication
Open Two-factor (/admin/account/two-factor) to add a second step at sign-in.
- Add an authenticator app (TOTP, RFC 6238): scan the QR code, enter the 6-digit code, and save your recovery codes.
- View and reorder your methods, see remaining recovery codes, regenerate codes, or disable 2FA.
Store your recovery codes somewhere safe. They are the only way back in if you lose your authenticator device.
Passkeys
Open Passkeys (/admin/account/passkeys) to register a FIDO2 / WebAuthn passkey.
- Register a passkey from your device or a password manager, list registered passkeys, and delete any you no longer use.
- Passkeys are phishing-resistant and can replace your password at sign-in.
Personal access tokens
Open Personal access tokens (/admin/account/tokens) for API and integration access tied to your user.
- Give the token a name and pick an expiry (no expiry, 30 days, 90 days, or 1 year — the default).
- Choose the scopes the token should carry (see below), then click Create token.
- The token is shown once in plaintext — copy it immediately and store it securely. Every token starts with the
cfp_ prefix.
- List existing tokens and revoke any you no longer need.
A token grants access as you. Treat it like a password and revoke it the moment it leaks.
Scopes
Tokens are scoped: when you create one, you tick the capabilities it is allowed to use. A token with no scopes ticked can authenticate but is confined to surfaces that do their own checks. Scopes you do not recognise are ignored — a token can never be granted a scope no installed module offers.
| Scope | Label | Allows |
|---|
api:full | API: full access | Call the Studio /api/v1 admin API (flows, connections, forms) and the read-only /api/v2 API, including the Configuration read API. Without it the token is limited to MCP and engine surfaces. |
mcp | MCP: full access | Grants every MCP capability below. |
mcp:analytics:read | Analytics: read | Read reports, datasets, goals, funnels, and telemetry. |
mcp:analytics:write | Analytics: write | Create and update goals; record conversions. |
mcp:flows:read | Flows: read | List and read flows. |
mcp:connections:read | Connections: read | List connections and their metadata. |
mcp:connections:manage | Connections: manage | Run live connection tests. |
mcp:history:read | History: read | Read execution and run history. |
mcp:config:read | Config: read | Read non-secret configuration values. |
mcp:* scopes authorize the MCP gateway, which lets AI agents call analytics, flow, connection, and configuration tools over JSON-RPC. Grant only the scopes a given agent needs.
Ticking MCP: full access (mcp) implies every MCP scope. The group roots mcp:analytics, mcp:connections, and mcp:flows each imply their read/write leaves — so you can grant a broad capability with one scope instead of several.
Notification preferences
Open Notification preferences (/admin/account/notifications) to choose how you are notified.
The settings are a channel × event matrix: pick Email, In-app, or Slack for events such as password_changed, two_factor_enabled, session_revoked, and token_created.
Language & region
Open Language & region (/admin/account/language) to pick your UI locale. This affects the interface language and how dates and times are formatted.
Notifications inbox
The Notifications inbox (/admin/notifications) shows your recent in-app notifications with an unread badge. Mark one as read, or mark all read at once.
Permissions
| Action | Permission |
|---|
| View your account | comerix.account.view |
| Manage sessions | comerix.account.sessions.manage |
| Manage two-factor | comerix.account.two_factor.manage |
| Manage passkeys | comerix.account.passkeys.manage |
| Manage access tokens | comerix.account.tokens.manage |
| Manage notification preferences | comerix.account.notifications.manage |
| Manage language & region | comerix.account.language.manage |
Related pages
