---
title: "Secure your account: password, roles & API key scopes | FirstSales"
description: "The real security controls: change your password with email-OTP verification, apply least-privilege roles, scope API keys narrowly, and suspend or remove members."
canonical: "https://firstsales.io/tutorial/secure-your-account/"
---

[Home](/)/[Tutorials](/tutorial/)/Secure your account: password, roles & API key scopes

Team & Workspace

# Secure your account: password, roles & API key scopes

The real security controls: change your password with email-OTP verification, apply least-privilege roles, scope API keys narrowly, and suspend or remove members.

5 min read·Intermediate·7 steps

1. 1  
## What you can actually control  
Four real controls exist: your password (email-OTP verified), who has what access (roles), how far API keys reach (scopes), and cutting off a member (suspend/remove). Setting expectations honestly up front avoids relying on controls the app doesn't have.
2. 2  
## Change your password (Settings → Security)  
Open **Change Password**, click **Send Verification Code**, enter the 6-digit code emailed to your account address, then set a new password (minimum 8 characters, confirmed). No code, no change.  
![Change your password (Settings → Security)](/tutorials/secure-account-01-password.webp)
3. 3  
## Apply least-privilege roles  
Assign members the narrowest role that lets them do their job. Owners are protected — they can't be suspended or removed from the member menu. See the permission-groups-and-roles tutorial for the full role setup.
4. 4  
## Scope API keys narrowly  
When creating a Developer API key, grant only the scopes it needs — for example `contacts:read` for a read-only export — instead of the full-access `*` scope. See the create-developer-api-keys tutorial for the walkthrough.
5. 5  
## Rotate or revoke keys  
API key management (admin/owner only) lets you revoke a key the moment it's exposed. Prefer several narrow keys you can revoke individually over one all-powerful key.
6. 6  
## Suspend or remove a member  
In **Team**, open a member's menu and choose **Suspend** (temporarily cut access, reversible via Unsuspend) or **Remove** (immediately revokes access; they can be re-invited later).
7. 7  
## A quick hardening checklist  
Strong password set via OTP, every member on least-privilege, API keys scoped instead of `*`, and suspend/remove anyone who leaves.

## Pro tips

Hard-won shortcuts that keep warm-up on track.

1

### One API key per integration

Create one key per integration with only the scopes it needs — when one leaks you revoke that key without breaking the others.

2

### Avoid full-access keys for read-only jobs

Never hand out a \* (full-access) API key for a read-only job; contacts:read or campaigns:read is usually all a script needs.

3

### Suspend before you remove

If you're unsure, suspend first — it's instantly reversible. Removal means re-inviting the person later.

4

### Guard your account email

Password changes require a code emailed to your account address — keep access to that inbox, or you can't rotate your password.

## Frequently asked questions

Does FirstSales support 2FA / MFA?

Not currently. Your account controls are an email-OTP-verified password change, least-privilege roles, scoped API keys, and member suspend/remove. Use a strong, unique password and tight roles.

How do I change my password?

**Settings → Security → Change Password** → get a 6-digit code by email → verify → set a new password (minimum 8 characters).

Can I log out other devices or see active sessions?

There's no session-management screen today. To cut off a person's access, **suspend** or **remove** them from the team.

How do I limit what an API key can do?

Pick specific scopes when you create it (read/write per resource). Avoid the `*` full-access scope unless you truly need it. Managing keys is admin/owner-only.

What's the difference between suspending and removing a member?

Suspend temporarily blocks access and is reversible (Unsuspend). Remove immediately revokes access; the person can be re-invited later.

Can a regular admin delete the owner?

No — the owner is protected; the suspend/remove menu doesn't appear for owners (or for yourself).

## Ready to put this into practice?

Start your FirstSales trial and launch a warmed, authenticated mailbox in minutes.

[Start for $1](https://app.firstsales.io)

[All tutorials](/tutorial/)