Skip to main content
DocsAccountAccount Settings

Account Settings

Personal information, password changes, notification preferences, logged in session management.

The account settings page gathers everything about you as a person — profile, password, notifications, signed-in devices. This page walks through each item.

Where To Start

Pull down the avatar in the upper right corner → "Account Settings", or visit directly/account.

Personal Information

  • Nickname — The name seen by other team members does not need to be your real name.
  • avatar — Upload a picture or generate it using initials (automatically hash the color according to the nickname).
  • Default language — The UI language also affects LLM's default output language suggestions.
  • Default Scheduling Time Zone — It is used by default when creating a new CRON schedule; already created schedules save their own time zone.
  • Dark/light mode — It follows the system by default and can be locked manually.

Email And Password

Modify Email

  1. Enter a new email address → We will send a verification email to the new email address.
  2. Click the confirmation link in your new email address.
  3. The old mailbox will receive a notification that "your mailbox has just been modified" - if it was not you, click "Undo" immediately.

Change Password

Enter current password + new password + confirm again → effective immediately. The system requires more than 8 characters, including letters and numbers; it is recommended to use a password manager to generate it. After the change is completed, other logged-in devices will be logged out.

Two-Step Verification

Turn on/off/reset TOTP, view remaining recovery codes, and regenerate recovery codes. See the complete process Registration and Login.

Programmatic Access to API (API Key)

For automation/CI/external scripts, it is recommended to use a dedicated API Key instead of a password to log in:

  1. Account settings → "API Key" tab → click "New API Key"
  2. Enter the Key name, check the required scope, and optionally set the expiration time.
  3. After saving **only this time** the full Key is displayed (format dyk_<id>_<secret>) - copy immediately to your password manager or secret store
  4. When calling the API: Authorization: Bearer dyk_xxxxx_yyyyy

Supported scopes:

  • WORKFLOW_READ / WORKFLOW_WRITE — Workflow read/write
  • EXECUTION_READ / EXECUTION_WRITE — Execute view/trigger/cancel
  • SCHEDULE_READ / SCHEDULE_WRITE — Schedule read/write
  • WEBHOOK — Webhook triggering and management

Key can view last4/creation time/latest usage time on the same tab page and revoke it at any time. The revocation becomes invalid immediately and already issued requests are not affected.

Avoid Pitfalls
  • Never commit API Key to Git repository; it is recommended to put it in CI secret store / 1Password / Doppler.
  • Follow the principle of least privilege: if a CI job only needs `EXECUTION_WRITE`, do not grant `WORKFLOW_WRITE`.
  • If you are worried about being leaked, cancel immediately + create a new one.

Other Authentication Methods (in-browser/in-workflow)

  • Browser login = HttpOnly Cookie + CSRF — Starting from 2026-05, the platform adopts HttpOnly Cookie authentication: dy_access / dy_refresh / dy_csrf are automatically managed by the browser, and POST/PUT/PATCH/DELETE requests automatically carry the X-CSRF-Token header. The front-end code cannot touch the token in localStorage.
  • Callbacks inside workflows — zero configuration — When a running workflow needs to call the platform API (such as creating a public link through a built-in module), the engine will automatically inject the WF_API_TOKEN environment variable - a short-lived JWT, TTL 2 hours, bound to the user who triggered the workflow. The module code can directly read the environment variables, and users do not need to manually manage tokens.
  • WebSocket authentication — Use POST /api/auth/ws-ticket to get a one-time ticket with a 30-second TTL, and include ?ticket=<value> in the handshake. The front-end composables/useExecutionWebSocket.ts has been packaged.

Notification Preferences

Divided into three categories:

  • Account Safety — New device logins, password changes, suspicious activity. It is recommended to open it fully.
  • Workflow status — Execution failure, approval request, budget overrun, schedule delay. Each category can choose "email/site/no notification".
  • Product Updates — New features, new additions to the template library, and blog push. Subscription is recommended but can be turned off.

Logged In Session

List all devices + browsers holding valid tokens:

  • Device Type/Browser/IP Region/Last Active Time
  • Click "Logout" to kick out a session individually
  • Click "Log Out All" to delete all except the current one (you usually do this once when you "get a new phone")

Trusted Device

After 2FA is turned on, devices that check "Remember Device" will be added to this list after logging in. The difference from session:

  • Session = current login status (valid for 7–30 days)
  • Trusted device = 2FA-free credentials for next login (valid for 30 days)

GDPR: Data Rights

Braidrun offers a complete GDPR Phase 0 compliance stack. Account Settings → Under the "Data & Privacy" tab:

1. Data Export (Right of Access / Right of Portability · Art. 15 / 20)

Click "Export my data" and the platform will package the ZIP asynchronously:

  • Your account information (users.json)
  • All workflows you create (workflows.jsonl)
  • Your execution history + details (executions.jsonl)
  • Your credential metadata (credentials.jsonl, only name + provider type, no secret)
  • Your consent record (consents.jsonl)
  • Audit log (audit_log.jsonl)
  • Issued public links (artifact_public_links.jsonl)

You will be notified via email after generation, and the download link will be valid for 24 hours.

2. Account Deletion (Right to Be Forgotten · Art. 17)

Click "Delete My Account" to get started:

  1. Make sure you are not the sole owner of any Team (if so, transfer ownership first).
  2. Confirm to discard all personal workflows and credentials (it is recommended to export them first).
  3. Enter email + password + 2FA confirmation.
  4. The account is immediately marked as DELETED and has a 7-day grace period for cancellation. After expiration, the system executes an orderly erasure process: user profile / workflow / execution / scheduling / webhook / credentials / OAuth binding / public link / API key / session / personal artifact + object storage prefix will be cleared.

View/withdraw your consent records for the four types of policies (TOS/Privacy/Cookies/Data Protection) under the "Data & Privacy" tab. Each record contains the consent time, policy version hash, and source IP. Withdrawing a certain consent will trigger the disabling of the corresponding function (for example, withdrawing the consent for cookies will clear non-essential cookies).

4. Data Retention Period

Your execution history, AI assistant sessions, login attempt records, Webhook events, etc. all have a default retention period; the system will automatically clean them up after expiration. The specific retention period can be viewed in the "Data & Privacy" tab and is also written in the "Data Retention" section of the privacy policy.

Next