Security #

OAuth/OIDC sign-in #

Meldry supports sign-in and account linking via external OAuth/OIDC identity providers.

Supported providers #

The exact set of providers depends on what your platform has configured.

Sign-in flow #

1. Click Sign in with GitHub (or another provider) on the login or registration page.
2. Authorize Meldry on the provider's consent screen.
3. If your OAuth identity is already linked, you are signed in directly.
4. Otherwise you are taken to a one-time choice page where you can:
   • Create a new account using the suggested handle from the provider, or
   • Link to an existing Meldry account by entering your handle and password.

The pending link token is single-use and expires after 10 minutes. Once consumed, the OAuth identity is permanently bound to your Meldry account.

Managing connected accounts #

View and manage connected OAuth accounts at Settings → Security → Connected Accounts. You can unlink any provider at any time.

Common problems #

Two-factor authentication (2FA) #

Setup #

1. Go to Settings → Security → Two-Factor Authentication.
2. Click Enable 2FA.
3. Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.).
4. Enter the 6-digit code to verify.
5. Save your recovery codes — they are your backup if you lose your authenticator.

Sign-in with 2FA #

After your handle and password, you will be prompted for the 6-digit TOTP code from your authenticator.

Trusted devices #

You can mark a device as "trusted" to skip the TOTP prompt on future sign-ins from the same device.

• A trusted device is identified by a hash of your user ID, user-agent and IP address.
• Trusted devices expire automatically after a configured period.
• Revoke them all at Settings → Security → Trusted Devices → Revoke All.

Recovery codes #

Each recovery code can be used once as a substitute for a TOTP code.

• Save them somewhere safe when first displayed.
• Regenerate at Settings → Security → 2FA → Regenerate Recovery Codes (this invalidates all previous codes).
• If you lose both your authenticator and your recovery codes, contact support for account recovery.

Password policy #

• Length — 8 to 128 characters
• Common password blocklist — the top 200 most-breached passwords are rejected
• Password history — you cannot reuse your last 5 passwords

When you change your password, Meldry validates length and complexity, checks the blocklist, and ensures the new password isn't in your password history.

Email verification #

Verify your email address so you can receive password reset, billing and security messages:

1. Go to Settings → Security.
2. Click Send Verification Email (rate limited to 5 per hour).
3. Click the link in the email — your address is marked as verified.

API keys #

Create #

1. Go to Settings → API Keys.
2. Click Create API Key.
3. Give it a descriptive name.
4. Copy the key immediately — it is shown only once.

Rate limit: 5 API key creations per hour.

Use #

curl -H "Authorization: Bearer <your-api-key>" \
  https://your-server.meldry.com/api/me

Revoke #

Click the delete icon next to any API key in Settings → API Keys. Revocation is immediate.

Sessions #

View all active sessions at Settings → Security → Sessions. Each entry shows the device/browser, IP address and creation date.

• Revoke a single session — click Revoke next to it.
• Sign out everywhere — click Revoke All.

Session security #

• Sessions expire after 14 days of inactivity.
• Maximum lifetime: 30 days (absolute).
• Sessions are bound to the browser and OS user-agent.
• Sessions are rotated on password change.

Account lockout #

After 5 failed sign-in attempts, your account is locked for 15 minutes.

CAPTCHA #

Meldry may present a CAPTCHA challenge during registration to protect against automated abuse. Supported providers include hCaptcha, reCAPTCHA and Cloudflare Turnstile. If you get stuck on a CAPTCHA, refresh the page and try again.

Activity log #

Every significant action on your account is recorded in a tamper-proof activity log built on a SHA-256 hash chain.

What is recorded #

• Timestamp — when the event happened
• Event type — user.login, server.create, billing.upgrade, etc.
• Remote IP — source IP of the request
• Outcome — success or failure
• Message — human-readable description
• Severity — info, warning, error

Each entry contains the SHA-256 hash of the previous entry, so any modification or deletion would break the chain and be detectable.

Where to view #

Open Settings → Security → Activity Log to see your own audit log entries.

Retention #

Logs are kept for a configurable retention period (typically 90 days). Older entries are pruned automatically.

Data export (GDPR) #

Request a complete export of your data at Settings → Danger Zone → Export Data.

Your export includes:

• Profile information
• Session history
• OAuth connections
• Subscriptions and payment transactions
• Support tickets and messages
• Notifications
• Activity log
• Server settings and resource usage

The export is delivered as a ZIP file.

Account deletion (with grace period) #

Account deletion uses a two-phase process with a 30-day grace period.

Schedule deletion #

1. Go to Settings → Danger Zone.
2. Click Schedule Deletion and confirm.
3. Your account is marked with a deleted_at timestamp.

Grace period #

• You have 30 days to change your mind.
• During the grace period the account remains fully functional.
• The dashboard shows the scheduled deletion timestamp.

Cancel deletion #

Open Settings → Danger Zone at any time during the grace period and click Cancel Deletion. The timestamp is cleared and your account continues normally.

Permanent deletion #

After the 30-day grace period, Meldry permanently removes:

• Your user account and profile
• All server data (containers, databases, media)
• Session history and OAuth connections
• Subscription and payment records

Consider exporting your data before scheduling deletion.