नेटवर्कलॉग इनसाइन अप

Sign-in and sessions

How signing in works, how long sessions last, what to do if you're logged out unexpectedly, and the basics of keeping your account safe.

Last updated 2026-04-25

This article covers the practical side of using a Haubot account — how to get in, how to stay in, and what to do when something feels wrong. For the security model behind it (token storage, expiry, refresh) the short answer is: we use industry-standard JWT tokens with refresh, scoped per device, with sensible expiry. The long answer is below.

Signing in

You can sign in with email + password or with one-time codes (OTP) sent to your email. The OTP flow is recommended on shared computers — there's no password to remember and the code is single-use.

To sign in:

  1. Go to /auth/login.
  2. Enter the email tied to your account.
  3. Either type your password OR click Send me a code to receive an OTP.
  4. On password sign-in, the form posts to our auth service, which returns access + refresh tokens stored in localStorage.
  5. On OTP sign-in, the email arrives within seconds; the code is valid for 10 minutes.

Successful sign-in lands you on the dashboard if you're a returning user, or on a profile-completion step if it's your first time.

Sessions

A session is the combination of two tokens stored in your browser:

  • Access token. Valid for 30 minutes. Sent on every API request as Authorization: Bearer <token>. If it's expired, the request fails with 401 and the frontend automatically refreshes.
  • Refresh token. Valid for 30 days. Used solely to mint a new access token when the current one expires. The frontend handles this transparently.

So in practice: you sign in once and stay signed in for 30 days of activity. If you stop using the platform for more than 30 days, the refresh token expires and you have to sign in again.

Sessions are per-device. Signing in on your phone doesn't sign you out on your laptop. We list active devices in your account settings — you can revoke any of them individually.

Sign-out

The Sign out button in the menu clears tokens from your browser and revokes the refresh token on the server side. After this:

  • The browser you signed out from is fully signed out.
  • Other devices you're signed in on continue to work.
  • If you want to sign out everywhere, use Sign out all devices in account settings.

"Why was I signed out?"

A handful of legitimate reasons:

  1. You signed out manually somewhere else. Cleared cookies on a different browser? Used Sign out all devices?
  2. 30 days of inactivity. Refresh token expired.
  3. Your password changed. Changing password invalidates all existing sessions on purpose.
  4. You changed email. Same as password — old sessions die.
  5. An admin forced sign-out. Rare. Happens after security incidents or T&C violations. You'd see a notice on the next sign-in.

If you're being signed out repeatedly within hours and none of the above applies, treat it as suspicious and email security@haubot. We'll look at the audit log.

Two-factor (2FA)

We support two flavours:

  • Authenticator app. Time-based one-time passcodes (Google Authenticator, 1Password, Authy, etc.). Set up in account settings; we show a QR code, you scan it, you enter the 6-digit code we generate to confirm.
  • SMS code. A 6-digit code via SMS to a verified phone. Slower than an authenticator app, less secure (SIM swap attacks), but better than nothing if you don't use authenticator apps.

We recommend enabling 2FA, especially if your account has a seller profile or any approval-required document grants. The cost is 5 seconds per sign-in; the value is "your account doesn't get taken over by a leaked password".

When 2FA is on:

  • The first sign-in step (email + password / OTP) is the same.
  • A second prompt appears for the 2FA code.
  • Recovery codes (10 single-use codes) are generated when you enable 2FA — write them down or store in a password manager. Lose access to your authenticator AND your recovery codes and you've locked yourself out.

Recovery flow

If you lose access to your account:

  1. Click Forgot password on the sign-in page.
  2. Enter your email. We send a reset link if the email matches an account.
  3. The link is valid for 1 hour.
  4. Set a new password. All sessions are invalidated; you sign in fresh.

If you also lost access to your email, contact support@haubot with proof of identity (the same details you used at sign-up). This is slow on purpose — account recovery without email control is the most common social-engineering vector and we'd rather frustrate the rare legitimate case than approve impersonators easily.

Account settings: what's there

In the dashboard's account settings:

  • Profile. Display name, photo, bio.
  • Security. Password change, 2FA setup, recovery codes, Sign out all devices.
  • Active sessions. Each device that's currently signed in, with last-used timestamp and IP. Revoke individually.
  • Email and phone. Verify, change. Change requires the new address/number to be verified before the old one is dropped.
  • Notifications. Which events email you (new bid, message, request approved/denied, etc.).

Quick safety checklist

  • Use a unique password (a password manager makes this trivial).
  • Turn on 2FA.
  • Don't reuse the password from your email — your email is the master key.
  • If you sign in on a borrowed computer, sign out before you leave; clearing the cookies just to be sure is reasonable paranoia.
  • Treat any email asking you to "verify your Haubot account" with suspicion. We don't ask you to click links to verify; we send links to reset (which is a different action, and only after you initiated it).

If something feels wrong with your account, the Sign out all devices button is the panic button. Use it, then change your password, then turn on 2FA if you hadn't already.

Related articles