Account & security
ZeroDrop gives you several independent ways to secure your account and to automate it. They're all on the account pages of the console.
Password
Your password is stored only as a strong one-way hash, so ZeroDrop can never read it back. You can change it at any time from the Settings page; you'll be asked for your current password first.
If you ever lose access, use Forgot password on the sign-in screen. ZeroDrop emails a single-use, time-limited reset link. Sign-in and reset are rate-limited and timing-equalised, so the system never reveals whether an email address has an account.
Signing in with Google or GitHub
You can sign up and sign in with Google or GitHub instead of a password. The buttons appear on both the sign-up and sign-in screens.
The first time you use one, ZeroDrop creates your account from the verified email your provider reports, so there's no separate confirmation step. After that, the same button signs you into that account. If you already have a password account and later use a provider that reports the same email, the two link to the one account, and you can then sign in either way.
An account created purely through a provider has no password, so Forgot password doesn't apply to it; sign in with the provider instead. You can still add two-factor authentication or a passkey to it for extra protection.
Two-factor authentication (TOTP)
Turn on two-factor authentication to require a six-digit code from an authenticator app (Google Authenticator, 1Password, Authy, and similar) in addition to your password.
- Go to the Two-factor page and scan the QR code into your app.
- Enter a code to confirm the pairing.
- Store your recovery information somewhere safe.
From then on, sign-in asks for a fresh code. Repeated wrong codes are throttled.
Passkeys
A passkey lets you sign in with your device's biometrics or security key, with no password and nothing to phish. ZeroDrop supports passkeys via WebAuthn.
- Add one or more passkeys from the Passkeys page (a laptop fingerprint reader, a phone, a hardware key). Add several so you're never locked out.
- Sign in later by choosing passkey and approving the prompt.
API tokens
API tokens let scripts and tools manage your checks over the HTTP API without your password. A token has the same access as your account.
- Create a token from the API tokens page. The raw token is shown once, so copy it immediately; ZeroDrop stores only a hash and can't show it again.
- Send it as a bearer token:
Authorization: Bearer <token>. - Revoke a token at any time to cut off its access instantly.
Because tokens are bearer credentials, treat them like passwords: keep them out of source control and rotate them if one might be exposed. The API itself is documented in the API reference, and is the way to manage your checks as code, declaring the set of checks you want and applying it idempotently.
How sessions are protected
A few things happen behind the scenes to keep your session safe:
- Session and token secrets are stored only as hashes, never in plaintext.
- Mutating requests from the browser are protected against cross-site request forgery (CSRF); bearer-token API requests are exempt because they don't ride on your cookies.
- Sensitive secrets such as your two-factor key are encrypted at rest.
You don't have to configure any of this. It's on by default.