Security & API Keys

Protect your account with two-factor authentication, manage active sessions, create API keys for programmatic access, and review the complete audit trail.

Two-Factor Authentication

Two-factor authentication (2FA) adds a second layer of security to your account. After entering your password, you also need a time-based code from your authenticator app.

Enabling 2FA

1

Go to Settings → Security

Find the Two-Factor Authentication section.
2

Click "Enable 2FA"

A QR code appears. Scan it with your authenticator app (Google Authenticator, Authy, 1Password, etc.).
3

Enter the verification code

Type the 6-digit code from your authenticator app to confirm the setup.
4

Save recovery codes

A set of one-time recovery codes is displayed. Save them in a secure location. If you lose access to your authenticator app, these codes are the only way to log in.

Save your recovery codes

Recovery codes are shown only once. Store them in a password manager or a secure physical location. Without them, losing your authenticator device means losing access to your account.

Disabling 2FA

Go to Settings → Security, click Disable 2FA, and confirm with your current password. 2FA is removed immediately.

Session Management

The Sessions section shows all active sessions for your account — every device and browser where you are currently logged in.

FieldDescription
DeviceBrowser name and version.
IP addressThe IP address of the session.
LocationApproximate geographic location based on IP.
Last activeWhen the session was last used.
CreatedWhen the session was created (login time).

Revoking Sessions

Click Revoke next to any session to terminate it immediately. The user on that device will be logged out on their next request.

Use Revoke All Other Sessions to log out of every device except the one you are currently using. This is recommended if you suspect unauthorized access.

API Keys

API keys allow programmatic access to the A91I API. Use them to trigger workflows, read execution results, and manage resources from scripts, CI/CD pipelines, or other applications.

Creating an API Key

1

Go to Settings → Security → API Keys

Find the API Keys section.
2

Click "Generate New Key"

A dialog appears with configuration options.
3

Configure the key

Set a name, select permission scopes, and optionally set an expiration date.
4

Copy the key

The full API key is displayed once. Copy it immediately and store it securely. You will not be able to see the full key again.

Permission Scopes

Each API key can be restricted to specific permissions:

Workflows
Read, create, edit, and delete workflows.
Executions
Trigger executions and read execution results.
Connections
Read connection statuses (not credentials).
Organization
Read organization settings and member list.

Least privilege

Create keys with only the scopes they need. A CI/CD pipeline that triggers workflows should have Executions scope only, not full Workflows access.

Managing Keys

The API Keys list shows all active keys with their prefix (first 8 characters), creation date, last used timestamp, and usage count.

  • Revoke — disable a key immediately. Any requests using the key will be rejected.
  • Rotate — revoke the old key and create a new one in a single step. Update your application with the new key.
  • Monitor — check the 'last used' and 'usage count' columns to identify unused or over-used keys.

Using API Keys

Include the API key in the Authorization header:

Authorization: Bearer your-api-key-here

All API endpoints that accept user authentication also accept API key authentication. The key inherits the permissions of the user who created it, further restricted by the key's configured scopes.

Audit Log

The audit log records every significant action in your organization. Navigate to Settings → Audit Log to browse the full history.

What Is Logged

EventExamples
User actionsLogin, logout, password change, 2FA enable/disable.
Workflow actionsCreate, edit, delete, share, execute, version restore.
Connection actionsCreate, update, delete, share, test.
Team actionsInvite, accept invitation, role change, removal.
Settings actionsOrganization update, billing change, API key create/revoke.

Audit Entry Fields

Each audit log entry includes:

  • Timestamp — when the action occurred.
  • User — who performed the action.
  • Action — the type of action (create, update, delete, etc.).
  • Resource — what was affected (workflow, connection, user, etc.).
  • Changes — the before and after values for update actions.
  • IP address — the source IP of the request.
  • User agent — the browser or client that made the request.

Filtering the Audit Log

Use the filter controls to narrow results:

  • Action type — filter by create, update, delete, execute, etc.
  • Resource type — filter by workflow, connection, user, etc.
  • Date range — limit to a specific time period.
  • User — show actions by a specific team member.

Compliance

The audit log is designed for compliance with SOC 2 and similar frameworks. All entries are immutable — they cannot be modified or deleted by any user, including Owners.

Security Best Practices

  • Enable 2FA for all Admin and Owner accounts.
  • Use strong, unique passwords. A91I enforces a minimum of 8 characters with letters and numbers.
  • Review active sessions regularly and revoke any you do not recognize.
  • Create API keys with the minimum required scopes.
  • Set expiration dates on API keys used for temporary integrations.
  • Rotate API keys periodically (quarterly recommended).
  • Monitor the audit log for unexpected activity — unusual login times, bulk deletions, or configuration changes.
  • Revoke access for departing team members immediately.