Account & Security

Signup, login, password reset, sessions, 2FA roadmap, account deletion (7-day hold), and security practices.

Account & Security

Everything around login, signup, password reset, and how Allorc keeps your account safe.



Sign Up

The signup form is at /signup. If sign-ups are closed on your environment, you'll see a "Sign-ups are closed" message.


Email Verification

After signup, the system sends a verification email. You must click the link before you can subscribe.


Login

The login form is at /login.


Forgot Password

The forgot-password form is at /forgot-password.


Session Management

Sessions are maintained securely. The Remember me option extends your session so you stay logged in across visits.


Two-Factor Authentication (2FA)

Status: Coming soon.

The roadmap includes TOTP-based 2FA. When enabled, you'll be able to:

  • Enable 2FA in Settings → Account.
  • Scan a QR code with an authenticator app (Google Authenticator, 1Password, Authy).
  • Use a 6-digit code as a second factor on login.

OAuth / Social Login

Status: Not currently supported.

Allorc uses email + password for primary auth. Social login (Google, GitHub) is on the roadmap.


Account Deletion

The account-deletion flow is a 7-day soft delete to comply with GDPR and protect users from accidental loss.


Security Practices

Allorc follows industry-standard security practices:

  • Passwords are hashed and never stored in plain text
  • All traffic is encrypted with TLS
  • Payment data is handled entirely by Stripe — we never see card numbers
  • Databases are encrypted at rest
  • Sessions are protected with secure cookies
  • Rate limiting is applied at the account and IP level

Recognizing Phishing

Allorc will never:

  • Ask for your password over email.
  • Ask for your credit card over email (Stripe handles all card data).
  • Send you a link to a non-allorc.com domain.

If you receive an email claiming to be from Allorc but the link goes elsewhere, or it asks for sensitive info, don't click it. Forward to support and we'll investigate.


Reporting a Security Issue

Email security@allorc.com with:

  • Description of the issue.
  • Steps to reproduce.
  • Affected account (if known).

We aim to respond within 24 hours and to credit researchers for valid issues (responsible disclosure program).


Frequently Asked Questions

Q: I forgot my password. What do I do? A: Use the Forgot Password flow on the login screen.

Q: How do I change my password? A: For now, use the Forgot Password flow. A self-serve "Change password" in Settings is on the roadmap.

Q: How do I change my email? A: Email support. We need to verify the new email before flipping it.

Q: Can I have multiple accounts with the same email? A: No. Each email is tied to one account.

Q: Can I use a different email for the worker than my login email? A: The worker's email (<prefix>@ai.allorc.com) is separate from your login email. The login email is for auth; the worker email is for the agent's mailbox.

Q: Why was I signed out unexpectedly? A: Sessions can expire (especially without "Remember me"), or your account may have been modified. Sign back in; if it happens repeatedly, contact support.

Q: Can I see who's logged into my account? A: Active sessions list is on the roadmap in Settings → Account.

Q: Is 2FA available? A: Coming soon. Email + password is the only factor for now.