Advanced

Security

Protect your account and store from unauthorized access. Recommended setup for all store owners.

⚠️

Your ForgeStore account controls access to your store, your payout wallet, and your players' data. Take security seriously.

Two-Factor Authentication (2FA)

2FA adds a second layer of protection. Even if someone gets your password, they can't log in without your authenticator code.

Enable 2FA

Go to Account → Security → Two-Factor Authentication
Install an authenticator app if you don't have one:
- Recommended: Aegis (Android, open source), Raivo (iOS)
- Also works: Google Authenticator, Authy
Scan the QR code with your authenticator app
Enter the 6-digit code shown in the app to confirm
Save your backup codes somewhere safe — these let you log in if you lose your phone

⚠️

Backup codes: Store them offline (printed or in a password manager). If you lose access to your authenticator and don't have backup codes, you will be locked out of your account permanently.

2FA for admin accounts

If your ForgeStore instance is self-hosted, 2FA is mandatory for the admin account. The admin panel will redirect to the account settings page until 2FA is enabled.

Active Sessions

See all devices currently logged into your account at Account → Security → Active Sessions.

Each session shows:

Device type and browser
IP address and approximate location
Last activity time

Click Revoke to immediately sign out a session. Use Revoke All Other Sessions if you suspect unauthorized access.

Password Security

Change your password at Account → Security → Change Password. We recommend:

At least 16 characters
Unique to ForgeStore — not reused from another site
Stored in a password manager (Bitwarden, 1Password)

Forgot password

Go to /login → Forgot password? → enter your email. You'll receive a reset link valid for 1 hour.

Audit Log

The audit log records every significant action taken in your account. Access it at Dashboard → Settings → Audit Log.

Event type	What it records
`login`	Successful and failed login attempts
`store.created`	New store created
`store.updated`	Store settings changed (name, domain, payments)
`package.created`	New package added
`package.deleted`	Package removed
`coupon.created`	New coupon created
`cashout.requested`	Withdrawal requested
`member.invited`	Team member invited to organization
`api.key.generated`	New API key created

Each entry includes the actor (email), timestamp, IP address, and a description of what changed.

IP Bans

Block specific IP addresses from accessing your store. Useful for players who abuse chargebacks or attempt to exploit your store.

Go to Dashboard → Settings → IP Bans → Add Ban. Enter the IP address and an optional reason. You can set a temporary ban (24h, 7 days) or a permanent one.

Banned IPs see a 403 page instead of your store. They cannot view packages, check out, or contact the store.

Team Access

Invite team members to help manage your stores at Dashboard → Organization → Members → Invite.

Role	What they can do
Owner	Full access — billing, payouts, delete store
Manager	Everything except billing and payouts
Support	View orders, process refunds, manage players
Viewer	Read-only access to stats and orders

💡

Never share your account credentials with team members. Invite them properly so you can revoke their access individually if needed.

API Keys

API keys grant access to your store's data via the REST API. Generate them at Store Settings → API → New Key.

Give each key a descriptive name (e.g. "Discord Bot", "Minecraft Plugin")
Set the minimum scope needed — read-only for analytics, read+write for plugins
Rotate keys regularly or immediately if you suspect a leak
Never commit keys to public Git repositories