Skip to main content
Protecting your Zexa account protects your contacts, message history, and billing details. Enable two-factor authentication and rotate your API keys regularly to keep your account secure and reduce the risk of unauthorised access.

Two-Factor Authentication (2FA)

Two-factor authentication adds a second verification step at login, making it significantly harder for an attacker to access your account even if your password is compromised.
1

Open Security settings

Go to Settings → Security → Two-Factor Authentication.
2

Enable 2FA

Click Enable 2FA to begin setup.
3

Scan the QR code

Open your authenticator app (e.g. Google Authenticator or Authy) and scan the QR code displayed on screen.
4

Confirm with a code

Enter the 6-digit code generated by your authenticator app to verify the setup was successful.
5

Save your backup codes

Download or copy your backup codes and store them somewhere safe, such as a password manager or printed copy kept offline.
If you lose access to your authenticator app and your backup codes, you may be permanently locked out of your account. Store backup codes securely before closing the setup screen.
Use a dedicated authenticator app rather than SMS-based 2FA. Authenticator apps are not vulnerable to SIM-swap attacks and work without mobile network coverage.

API key management

API keys allow your applications to authenticate with the Zexa API. Treat them with the same care as passwords.

Generate an API key

1

Open API Keys settings

Go to Settings → API Keys and click New Key.
2

Name your key

Give the key a descriptive name that identifies its purpose, for example Production App or Staging Environment.
3

Generate and copy

Click Generate. Copy the key immediately — it is shown only once.
The API key is displayed only once at the time of creation. Copy it and store it securely — it cannot be retrieved again from the dashboard.

Revoke an API key

Go to Settings → API Keys and click Revoke next to the key you want to disable. The key becomes invalid immediately.

Best practices

  • Use one key per application or environment. Separate keys for production, staging, and development make it easy to rotate or revoke access without affecting other environments.
  • Revoke unused keys. Delete any key that is no longer actively used.
  • Never commit keys to source code. Avoid checking API keys into version control, even in private repositories.
Store API keys in environment variables or a dedicated secrets manager (e.g. HashiCorp Vault, AWS Secrets Manager) rather than hardcoding them in your application.

Active sessions

Review all devices currently logged in to your account. Go to Settings → Security → Active Sessions. Each session entry shows:
  • Device — browser or app used
  • Location — approximate geographic location based on IP address
  • Last active — time of most recent activity
Click Revoke next to any session you do not recognise to end it immediately.

Password change

Update your password regularly to maintain account security.
  1. Go to Settings → Security → Change Password.
  2. Enter your current password, then your new password.
  3. Click Save.
Password requirements:
  • Minimum 8 characters
  • At least one uppercase letter
  • At least one number
  • At least one special character (e.g. !, @, #, $)
If you suspect unauthorised access to your account, revoke all API keys immediately and contact the Zexa support team at suporte@zexa.ao. We will help you secure your account as quickly as possible.