> ## Documentation Index
> Fetch the complete documentation index at: https://docs.zexa.ao/llms.txt
> Use this file to discover all available pages before exploring further.

# Secure Your Zexa Account Using 2FA and API Key Controls

> Protect your Zexa account by enabling two-factor authentication, managing API keys securely, and reviewing or revoking active login sessions.

Protecting your Zexa account protects your contacts, message history, and billing details. Enable two-factor authentication and rotate your API keys regularly to keep your account secure and reduce the risk of unauthorised access.

## Two-Factor Authentication (2FA)

Two-factor authentication adds a second verification step at login, making it significantly harder for an attacker to access your account even if your password is compromised.

<Steps>
  <Step title="Open Security settings">
    Go to **Settings → Security → Two-Factor Authentication**.
  </Step>

  <Step title="Enable 2FA">
    Click **Enable 2FA** to begin setup.
  </Step>

  <Step title="Scan the QR code">
    Open your authenticator app (e.g. Google Authenticator or Authy) and scan the QR code displayed on screen.
  </Step>

  <Step title="Confirm with a code">
    Enter the 6-digit code generated by your authenticator app to verify the setup was successful.
  </Step>

  <Step title="Save your backup codes">
    Download or copy your backup codes and store them somewhere safe, such as a password manager or printed copy kept offline.
  </Step>
</Steps>

<Warning>
  If you lose access to your authenticator app **and** your backup codes, you may be permanently locked out of your account. Store backup codes securely before closing the setup screen.
</Warning>

<Tip>
  Use a dedicated authenticator app rather than SMS-based 2FA. Authenticator apps are not vulnerable to SIM-swap attacks and work without mobile network coverage.
</Tip>

## API key management

API keys allow your applications to authenticate with the Zexa API. Treat them with the same care as passwords.

### Generate an API key

<Steps>
  <Step title="Open API Keys settings">
    Go to **Settings → API Keys** and click **New Key**.
  </Step>

  <Step title="Name your key">
    Give the key a descriptive name that identifies its purpose, for example `Production App` or `Staging Environment`.
  </Step>

  <Step title="Generate and copy">
    Click **Generate**. Copy the key immediately — it is shown only once.
  </Step>
</Steps>

<Warning>
  The API key is displayed only once at the time of creation. Copy it and store it securely — it **cannot be retrieved again** from the dashboard.
</Warning>

### Revoke an API key

Go to **Settings → API Keys** and click **Revoke** next to the key you want to disable. The key becomes invalid immediately.

### Best practices

* **Use one key per application or environment.** Separate keys for production, staging, and development make it easy to rotate or revoke access without affecting other environments.
* **Revoke unused keys.** Delete any key that is no longer actively used.
* **Never commit keys to source code.** Avoid checking API keys into version control, even in private repositories.

<Tip>
  Store API keys in environment variables or a dedicated secrets manager (e.g. HashiCorp Vault, AWS Secrets Manager) rather than hardcoding them in your application.
</Tip>

## Active sessions

Review all devices currently logged in to your account.

Go to **Settings → Security → Active Sessions**. Each session entry shows:

* **Device** — browser or app used
* **Location** — approximate geographic location based on IP address
* **Last active** — time of most recent activity

Click **Revoke** next to any session you do not recognise to end it immediately.

## Password change

Update your password regularly to maintain account security.

1. Go to **Settings → Security → Change Password**.
2. Enter your current password, then your new password.
3. Click **Save**.

**Password requirements:**

* Minimum 8 characters
* At least one uppercase letter
* At least one number
* At least one special character (e.g. `!`, `@`, `#`, `$`)

<Note>
  If you suspect unauthorised access to your account, revoke all API keys immediately and contact the Zexa support team at [suporte@zexa.ao](mailto:suporte@zexa.ao). We will help you secure your account as quickly as possible.
</Note>
