Account Settings
Personal information, password changes, notification preferences, logged in session management.
The account settings page gathers everything about you as a person — profile, password, notifications, signed-in devices. This page walks through each item.
Where To Start
Pull down the avatar in the upper right corner → "Account Settings", or visit directly/account.
Personal Information
- Nickname — The name seen by other team members does not need to be your real name.
- avatar — Upload a picture or generate it using initials (automatically hash the color according to the nickname).
- Default language — The UI language also affects LLM's default output language suggestions.
- Default Scheduling Time Zone — It is used by default when creating a new CRON schedule; already created schedules save their own time zone.
- Dark/light mode — It follows the system by default and can be locked manually.
Email And Password
Modify Email
- Enter a new email address → We will send a verification email to the new email address.
- Click the confirmation link in your new email address.
- The old mailbox will receive a notification that "your mailbox has just been modified" - if it was not you, click "Undo" immediately.
Change Password
Enter current password + new password + confirm again → effective immediately. The system requires more than 8 characters, including letters and numbers; it is recommended to use a password manager to generate it. After the change is completed, other logged-in devices will be logged out.
Two-Step Verification
Turn on/off/reset TOTP, view remaining recovery codes, and regenerate recovery codes. See the complete process Registration and Login.
Programmatic Access to API (API Key)
For automation/CI/external scripts, it is recommended to use a dedicated API Key instead of a password to log in:
- Account settings → "API Key" tab → click "New API Key"
- Enter the Key name, check the required scope, and optionally set the expiration time.
- After saving **only this time** the full Key is displayed (format dyk_<id>_<secret>) - copy immediately to your password manager or secret store
- When calling the API:
Authorization: Bearer dyk_xxxxx_yyyyy
Supported scopes:
WORKFLOW_READ/WORKFLOW_WRITE— Workflow read/writeEXECUTION_READ/EXECUTION_WRITE— Execute view/trigger/cancelSCHEDULE_READ/SCHEDULE_WRITE— Schedule read/writeWEBHOOK— Webhook triggering and management
Key can view last4/creation time/latest usage time on the same tab page and revoke it at any time. The revocation becomes invalid immediately and already issued requests are not affected.
- Never commit API Key to Git repository; it is recommended to put it in CI secret store / 1Password / Doppler.
- Follow the principle of least privilege: if a CI job only needs `EXECUTION_WRITE`, do not grant `WORKFLOW_WRITE`.
- If you are worried about being leaked, cancel immediately + create a new one.
Other Authentication Methods (in-browser/in-workflow)
- Browser login = HttpOnly Cookie + CSRF — Starting from 2026-05, the platform adopts HttpOnly Cookie authentication: dy_access / dy_refresh / dy_csrf are automatically managed by the browser, and POST/PUT/PATCH/DELETE requests automatically carry the X-CSRF-Token header. The front-end code cannot touch the token in localStorage.
- Callbacks inside workflows — zero configuration — When a running workflow needs to call the platform API (such as creating a public link through a built-in module), the engine will automatically inject the WF_API_TOKEN environment variable - a short-lived JWT, TTL 2 hours, bound to the user who triggered the workflow. The module code can directly read the environment variables, and users do not need to manually manage tokens.
- WebSocket authentication — Use POST /api/auth/ws-ticket to get a one-time ticket with a 30-second TTL, and include ?ticket=<value> in the handshake. The front-end composables/useExecutionWebSocket.ts has been packaged.
Notification Preferences
Divided into three categories:
- Account Safety — New device logins, password changes, suspicious activity. It is recommended to open it fully.
- Workflow status — Execution failure, approval request, budget overrun, schedule delay. Each category can choose "email/site/no notification".
- Product Updates — New features, new additions to the template library, and blog push. Subscription is recommended but can be turned off.
Logged In Session
List all devices + browsers holding valid tokens:
- Device Type/Browser/IP Region/Last Active Time
- Click "Logout" to kick out a session individually
- Click "Log Out All" to delete all except the current one (you usually do this once when you "get a new phone")
Trusted Device
After 2FA is turned on, devices that check "Remember Device" will be added to this list after logging in. The difference from session:
- Session = current login status (valid for 7–30 days)
- Trusted device = 2FA-free credentials for next login (valid for 30 days)
GDPR: Data Rights
Braidrun offers a complete GDPR Phase 0 compliance stack. Account Settings → Under the "Data & Privacy" tab:
1. Data Export (Right of Access / Right of Portability · Art. 15 / 20)
Click "Export my data" and the platform will package the ZIP asynchronously:
- Your account information (users.json)
- All workflows you create (workflows.jsonl)
- Your execution history + details (executions.jsonl)
- Your credential metadata (credentials.jsonl, only name + provider type, no secret)
- Your consent record (consents.jsonl)
- Audit log (audit_log.jsonl)
- Issued public links (artifact_public_links.jsonl)
You will be notified via email after generation, and the download link will be valid for 24 hours.
2. Account Deletion (Right to Be Forgotten · Art. 17)
Click "Delete My Account" to get started:
- Make sure you are not the sole owner of any Team (if so, transfer ownership first).
- Confirm to discard all personal workflows and credentials (it is recommended to export them first).
- Enter email + password + 2FA confirmation.
- The account is immediately marked as DELETED and has a 7-day grace period for cancellation. After expiration, the system executes an orderly erasure process: user profile / workflow / execution / scheduling / webhook / credentials / OAuth binding / public link / API key / session / personal artifact + object storage prefix will be cleared.
3. Consent Record and Cookie Banner
View/withdraw your consent records for the four types of policies (TOS/Privacy/Cookies/Data Protection) under the "Data & Privacy" tab. Each record contains the consent time, policy version hash, and source IP. Withdrawing a certain consent will trigger the disabling of the corresponding function (for example, withdrawing the consent for cookies will clear non-essential cookies).
4. Data Retention Period
Your execution history, AI assistant sessions, login attempt records, Webhook events, etc. all have a default retention period; the system will automatically clean them up after expiration. The specific retention period can be viewed in the "Data & Privacy" tab and is also written in the "Data Retention" section of the privacy policy.
Next
- BYOK · Bring Your Own LLM Key — Connect your LLM account
- Subscriptions and Pricing — Quota/Upgrade/Downgrade