Two-Factor Authentication (2FA)

Protect client and admin accounts with TOTP authenticator apps (Google Authenticator, Authy, 1Password, etc.).

Client portal

1. Open Profile → Two-factor authentication.
2. Click Set up 2FA and scan the secret into your authenticator.
3. Enter a 6-digit code to enable. Future logins require the code when 2FA is active.

Admin portal

Platform admins enable 2FA from the admin profile panel using the same enroll / verify flow.

API

• POST /auth/totp/enroll — returns secret (authenticated)
• POST /auth/totp/verify — {"code":"123456"}
• POST /auth/totp/disable — requires valid code

Login responses include whether TOTP is required via totp_required when enabled on the account.