Account security — 2FA & API keys

Lock down your account with two-factor authentication, and give CI pipelines and scripts their own scoped API keys instead of sharing your password. Both take a minute to set up from the CLI.

Two-factor authentication

Turn on TOTP two-factor so a password alone isn't enough to sign in:

bootload 2fa enable

You'll enroll an authenticator app (scan the secret, then confirm a code) and get a set of backup codes — each works once, shown only at enrollment, so save them somewhere safe. Check your status or turn it off (a current code is required) any time:

bootload 2fa status
bootload 2fa disable

Scoped API keys

For automation — CI, deploy scripts, cron — mint a dedicated API key with only the permissions it needs, rather than handing out broad access:

bootload token create ci-deploy --scope services:read --scope services:write

The secret is shown once at creation — copy it then, because it's never displayed again. Use it as a bearer token against the API directly — Authorization: Bearer <key> — for example from a CI job or a curl script. (The bootload CLI itself signs in separately with bootload login.)

List and revoke keys whenever you like:

bootload token list
bootload token revoke <id>

Revoking a key takes effect immediately — rotate one the moment you suspect it leaked.

Scopes

Scopes follow a resource:action shape, so a key carries exactly the access you grant — nothing more. Some common ones:

A key can never exceed your own access, and you can grant several scopes by repeating --scope. Prefer the narrowest set that gets the job done — a CI key that only deploys needs services:read/services:write, not your wallet.