Password Authentication

Password authentication is used to access Aptible resources via the Dashboard and CLI.


Passwords must be at least 10 characters, must contain at least one uppercase letter, and must contain at least one digit or special character. Aptible uses Have I Been Pwned to implement a blacklist of known compromised passwords.

Account Lockout Policies

Accounts will be locked after 10 failed attempts in 1 minute, 20 failed attempts in 1 hour, or 40 failed attempts in 1 day.

2-Factor Authentication (2FA)


2FA Authentication can be enabled on a per-user basis via the Dashboard.

Supported Protocols

2FA on Aptible supports software second factors via the TOTP protocol. We recommend using Google Authenticator as your TOTP client.

Hardware second factors are supported via the U2F protocol. However, U2F devices are only supported for Dashboard logins: you will still need to use a TOTP second factor for CLI authentication.


When enabled, 2FA protects access to your Aptible account via the Dashboard, CLI, and API. 2FA does not restrict Git pushes - these are still authenticated with SSH Public Keys. In some cases, you may not push code with your own user credentials, for example if you deploy with a CI service such as Travis or Circle and perform all deploys via a robot user. If so, we encourage you to remove SSH keys from your Aptible user account.

Aptible 2FA protects logins, not individual requests. Making authenticated requests to the Aptible API is a two step process:

  1. Generate an access token using your credentials
  2. Use that access token to make requests

2FA protects the first step. Once you have an access token, you can make as many requests as you want to the API until that token expires or is revoked.

Recovering Account Access

When you enable 2FA, you will receive emergency backup codes for use if your device is lost, stolen, or temporarily unavailable. Keep these in a safe place.

Backup codes can be used once each by entering them where you would normally enter the 2FA code generated by your device.

If you don't have your device and are unable to access a backup code, please have one of your organization's owners contact Support.


Organization administrators can audit 2FA enrollment via the Dashboard as well.

Did this page help you?