Webhook Relay
Sign up free
DocumentationFundamentals

Multi-factor authentication (MFA)

Add multi-factor authentication (MFA) to your Webhook Relay account for an extra layer of login security. Available on every plan, including the free tier.

Multi-factor authentication (MFA), sometimes called two-factor authentication (2FA), adds a second step to your login. After your password you also enter a one-time code from an authenticator app, so a leaked or guessed password is no longer enough to access your account.

MFA is available on every plan, including the free tier — there is no need to upgrade to secure your account.

How it works

Webhook Relay uses app-based, time-based one-time passwords (TOTP) — the same standard supported by Google Authenticator, 1Password, Authy, Microsoft Authenticator and most password managers. Your authenticator app and Webhook Relay share a secret once, during setup, and from then on the app generates a fresh 6-digit code every 30 seconds. Nothing is sent over SMS, so there is no SIM-swap risk.

Enable MFA

  1. Open your account details page and go to the Security section.
  2. Choose Enable two-factor authentication. A QR code and a setup key are shown.
  3. In your authenticator app, scan the QR code (or type the setup key manually).
  4. Enter the 6-digit code from the app to confirm the two are in sync.
  5. Save your recovery codes somewhere safe (see below), then finish.

From the next sign-in onwards, you'll be asked for a code from your app after entering your password.

Set up your authenticator app on a device you keep — not the same single device you might lose access to. A password manager that syncs across your devices is a good place to store TOTP secrets.

Recovery codes

When you enable MFA you are given a set of one-time recovery codes. Each code lets you sign in once if you don't have your authenticator app — for example if your phone is lost, stolen or reset.

  • Store them in a password manager or another safe place, not only on the device that runs your authenticator app.
  • Each recovery code works once. After you use one, cross it off.
  • You can regenerate a fresh set from the Security section at any time — doing so invalidates the old codes.

If you run out of recovery codes and lose access to your authenticator app, contact [email protected] from the email address on the account so we can verify ownership and help you regain access.

Disable MFA

To turn MFA off, open the Security section of your account details page and disable two-factor authentication. You'll be asked to confirm with your password or a current code. We recommend keeping MFA enabled.

MFA and teams

If you invite team members or sub-accounts, each user enables MFA on their own login independently — protecting your account is up to every member who can access it. For organisation-wide enforcement and SSO (SAML with Okta, Active Directory and similar), see our Enterprise plan.

Did this page help you?