The My Account settings page is your personal control panel within OwnPay. Every administrator and staff member uses this page to maintain their own profile details — updating their display name, rotating their login email, and changing their password. More importantly, this is where you configure Two-Factor Authentication (2FA), the single most impactful security measure you can apply to your account. OwnPay implements RFC 6238-compliant TOTP, compatible with all major authenticator apps including Google Authenticator, Authy, Aegis, and Bitwarden.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/own-pay/OwnPay-Documentation/llms.txt
Use this file to discover all available pages before exploring further.
Passwords are hashed using Argon2id with high-iteration parameters. TOTP secrets are stored encrypted with AES-256-GCM. OwnPay’s authentication layer is designed to prevent credential recovery — there is no way to view a stored password. Always store credentials in a dedicated password manager.
Accessing My Account
Profile Information
The Profile Information section lets you update the display name and email address associated with your account.| Field | Type | Required | Example | Description |
|---|---|---|---|---|
| Name | Text | Yes | John Doe | Display name shown in audit logs and admin interface headers. |
| Text | Yes | admin@example.com | Login email address used for dashboard sign-in and password resets. |
Updating Your Name or Email
Changing Your Password
Enter Current Password
Type your existing password in the Current Password field to authenticate the change.
Set a New Password
Enter a strong password (minimum 8 characters, combining uppercase, lowercase, numbers, and symbols) in the New Password field.
Password Field Reference
| Field | Type | Required | Description |
|---|---|---|---|
| Current Password | Password | Yes | Authenticates that you authorize the change. |
| New Password | Password | Yes | Minimum 8 characters. Hashed with Argon2id. |
| Confirm Password | Password | Yes | Must match the New Password field exactly. |
Two-Factor Authentication (2FA)
Why Enable 2FA
Two-factor authentication adds a second layer of verification beyond your password. Even if your password is compromised, an attacker cannot log in without access to your physical authenticator device. For accounts with administrative access to financial data and payment configuration, enabling 2FA is essential.2FA Status Badge
The My Account page displays a prominent status badge:✓ Enabled (green) when 2FA is active, or Disabled (red) when it is not. Click Manage 2FA or Setup 2FA to enter the configuration screen.
Enabling Two-Factor Authentication
Scan the QR Code
The 2FA setup screen displays a QR code and a backup text secret. Open your authenticator app (Google Authenticator, Authy, Aegis, or Bitwarden) and scan the QR code. If you cannot scan the QR code, manually enter the backup text secret into your app.
Save the Backup Secret
Write down the backup text secret and store it securely (a password vault or secure physical location). This is the only recovery mechanism if you lose access to your authenticator device.
Enter the Verification Code
Once your authenticator app begins displaying 6-digit codes, type the current code into the Verification Code field on the setup screen.
Disabling Two-Factor Authentication
2FA Technical Details
TOTP drift window
TOTP drift window
OwnPay accepts TOTP codes with a drift allowance window of ±1 step (approximately ±30 seconds from the current server time). This compensates for minor clock drift between your server and your mobile device. If codes are consistently rejected, verify that both your server and device are synchronized to an NTP time source.
Rate limiting on 2FA attempts
Rate limiting on 2FA attempts
2FA verification attempts are rate-limited to prevent brute-force guessing attacks. After several consecutive failed attempts, the verification endpoint temporarily blocks further submissions from the same IP address.
Account lockout recovery
Account lockout recovery
If a staff member is locked out of their account because they lost their authenticator device and did not save the backup secret, the super-administrator must clear the user’s
two_factor_enabled and totp_secret_enc values in the op_merchant_users database table, or reset the account via the Staff management settings menu.Best Practices
Enable 2FA Immediately
Activate two-factor authentication on all administrative and staff accounts as part of your initial platform setup. Do not wait until after going live.
Store the 2FA Backup Secret
Before enabling 2FA, copy and securely store the backup text secret. This is the only way to recover access if your authenticator device is lost, stolen, or reset.
Use a Password Manager
Store your OwnPay password and 2FA backup secret in a dedicated password manager (e.g. Bitwarden, 1Password). Never share credentials with other staff members.
Rotate Passwords Periodically
Change your password on a regular schedule — especially after onboarding new staff members who may have had temporary access to shared credentials.
Related Pages
Staff Management
Create and manage administrator and team member profiles across the platform.
Roles & Permissions
Assign specific permission matrices to staff accounts to control feature access.