NewSee how
FirstSales
Home/Tutorials/Secure your account: password, roles & API key scopes
Team & Workspace

Secure your account: password, roles & API key scopes

The real security controls: change your password with email-OTP verification, apply least-privilege roles, scope API keys narrowly, and suspend or remove members.

5 min read·Intermediate·7 steps
  1. 1

    What you can actually control

    Four real controls exist: your password (email-OTP verified), who has what access (roles), how far API keys reach (scopes), and cutting off a member (suspend/remove). Setting expectations honestly up front avoids relying on controls the app doesn't have.

  2. 2

    Change your password (Settings → Security)

    Open Change Password, click Send Verification Code, enter the 6-digit code emailed to your account address, then set a new password (minimum 8 characters, confirmed). No code, no change.

    Change your password (Settings → Security)
  3. 3

    Apply least-privilege roles

    Assign members the narrowest role that lets them do their job. Owners are protected — they can't be suspended or removed from the member menu. See the permission-groups-and-roles tutorial for the full role setup.

  4. 4

    Scope API keys narrowly

    When creating a Developer API key, grant only the scopes it needs — for example contacts:read for a read-only export — instead of the full-access * scope. See the create-developer-api-keys tutorial for the walkthrough.

  5. 5

    Rotate or revoke keys

    API key management (admin/owner only) lets you revoke a key the moment it's exposed. Prefer several narrow keys you can revoke individually over one all-powerful key.

  6. 6

    Suspend or remove a member

    In Team, open a member's menu and choose Suspend (temporarily cut access, reversible via Unsuspend) or Remove (immediately revokes access; they can be re-invited later).

  7. 7

    A quick hardening checklist

    Strong password set via OTP, every member on least-privilege, API keys scoped instead of *, and suspend/remove anyone who leaves.

Pro tips

Hard-won shortcuts that keep warm-up on track.

1

One API key per integration

Create one key per integration with only the scopes it needs — when one leaks you revoke that key without breaking the others.

2

Avoid full-access keys for read-only jobs

Never hand out a * (full-access) API key for a read-only job; contacts:read or campaigns:read is usually all a script needs.

3

Suspend before you remove

If you're unsure, suspend first — it's instantly reversible. Removal means re-inviting the person later.

4

Guard your account email

Password changes require a code emailed to your account address — keep access to that inbox, or you can't rotate your password.

Frequently asked questions

Does FirstSales support 2FA / MFA?

Not currently. Your account controls are an email-OTP-verified password change, least-privilege roles, scoped API keys, and member suspend/remove. Use a strong, unique password and tight roles.

How do I change my password?

Settings → Security → Change Password → get a 6-digit code by email → verify → set a new password (minimum 8 characters).

Can I log out other devices or see active sessions?

There's no session-management screen today. To cut off a person's access, suspend or remove them from the team.

How do I limit what an API key can do?

Pick specific scopes when you create it (read/write per resource). Avoid the * full-access scope unless you truly need it. Managing keys is admin/owner-only.

What's the difference between suspending and removing a member?

Suspend temporarily blocks access and is reversible (Unsuspend). Remove immediately revokes access; the person can be re-invited later.

Can a regular admin delete the owner?

No — the owner is protected; the suspend/remove menu doesn't appear for owners (or for yourself).

Ready to put this into practice?

Start your FirstSales trial and launch a warmed, authenticated mailbox in minutes.

Start for $1