Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/own-pay/OwnPay-Documentation/llms.txt

Use this file to discover all available pages before exploring further.

Two-factor authentication (2FA) is one of the most effective defenses against unauthorized access to the OwnPay admin panel. Even if your password is compromised, an attacker cannot log in without physical access to your authenticator app. OwnPay uses the Time-based One-Time Password (TOTP) standard, compatible with apps such as Google Authenticator, Authy, and Bitwarden Authenticator.

Enabling 2FA on Your Account

2FA is configured per account from the My Account settings page. Navigate there to enable or disable 2FA on your user profile. The super-administrator should ensure 2FA is active on all privileged accounts.
Once 2FA is enabled, it cannot be bypassed at login. If you lose access to your authenticator device and have no backup recovery keys, a super-administrator must manually revoke and re-enable 2FA on your account from the Staff settings page.

Using 2FA at Login

Each time you log in with a 2FA-enabled account, you are automatically redirected to the /2fa verification screen after entering your password correctly.
1

Complete the standard login

Enter your Email or Username and Password on the login page and click Sign In.
2

Open your authenticator app

On your mobile device, open the authenticator app and find the OwnPay entry.
3

Read the current 6-digit code

Note the active 6-digit code. Each code is valid for a 30-second window. If the timer is nearly expired, wait for the next code to appear before typing — this avoids submitting an expiring code.
4

Enter the code and verify

Type the 6-digit code into the Verification Code field on the 2FA screen, then click Verify. Upon success, you are redirected to the Dashboard.
If the timer in your authenticator app shows only a few seconds remaining, wait for the next 30-second code to appear before submitting. The system also tolerates up to 60 seconds of clock drift (2 time slices) to account for minor time desynchronization between your device and the server.

2FA Verification Fields Reference

Field / OptionRequiredDescription
Verification CodeYesThe 6-digit numeric code generated by your authenticator app for the current 30-second window.
VerifySubmits the code to complete the login session.
Cancel & LogoutNoCancels the authentication flow entirely and returns you to the login page. Use this if you cannot complete 2FA (e.g. on a public computer).

How the TOTP System Works

The server accepts codes from the current 30-second time slice as well as the one immediately before and after it — effectively allowing up to 60 seconds of tolerance. This gracefully handles minor clock differences between your device and the server without compromising security. However, keeping your device time set to automatic/network time is strongly recommended.
Once a TOTP code is used successfully, it is invalidated immediately and cannot be reused within the same time window. The system tracks the last used time slice to prevent session hijacking via code interception.
Submitting too many invalid codes will trigger the rate limiter and lock you out from further attempts for 5 minutes. This prevents brute-force attacks against the 6-digit code space.

Recovery Considerations

If you lose access to your authenticator app, recovery requires administrator intervention — there is no self-service bypass.

Protect Your Backup Keys

Never share your 2FA secret key or backup recovery keys with anyone. Do not expose them to unauthorized users or transmit them over unencrypted channels.

Admin-Assisted Recovery

If you lose access to your authenticator device and cannot recover independently, a super-administrator can revoke the 2FA secret from the Staff settings page, allowing you to re-enable 2FA on your next login.

Troubleshooting

SymptomLikely CauseFix
Invalid or expired 2FA codeDevice clock is out of sync, or the code expired before submission.Set your phone’s time to automatic/network time. Then wait for the next fresh code and enter it quickly.
2FA secret could not be decryptedServer decryption key mismatch — typically after a key rotation.Contact your super-administrator to revoke and re-enable 2FA on your account.
Rate limit exceededToo many incorrect code submissions in a short period.Wait 5 minutes, then log in again from the start.
Lost authenticator app accessDevice lost, factory reset, or app data deleted.Use a saved backup recovery key if available, or have your super-administrator revoke and re-enable 2FA from the Staff settings page.

Login

The primary credential screen — 2FA is triggered immediately after a successful password submission.

Forgot Password

Recover account access if you cannot log in due to a forgotten or expired password.

Build docs developers (and LLMs) love