Secure your account: password, roles & API key scopes
The real security controls: change your password with email-OTP verification, apply least-privilege roles, scope API keys narrowly, and suspend or remove members.
- 1
What you can actually control
Four real controls exist: your password (email-OTP verified), who has what access (roles), how far API keys reach (scopes), and cutting off a member (suspend/remove). Setting expectations honestly up front avoids relying on controls the app doesn't have.
- 2
Change your password (Settings → Security)
Open Change Password, click Send Verification Code, enter the 6-digit code emailed to your account address, then set a new password (minimum 8 characters, confirmed). No code, no change.

- 3
Apply least-privilege roles
Assign members the narrowest role that lets them do their job. Owners are protected — they can't be suspended or removed from the member menu. See the permission-groups-and-roles tutorial for the full role setup.
- 4
Scope API keys narrowly
When creating a Developer API key, grant only the scopes it needs — for example
contacts:readfor a read-only export — instead of the full-access*scope. See the create-developer-api-keys tutorial for the walkthrough. - 5
Rotate or revoke keys
API key management (admin/owner only) lets you revoke a key the moment it's exposed. Prefer several narrow keys you can revoke individually over one all-powerful key.
- 6
Suspend or remove a member
In Team, open a member's menu and choose Suspend (temporarily cut access, reversible via Unsuspend) or Remove (immediately revokes access; they can be re-invited later).
- 7
A quick hardening checklist
Strong password set via OTP, every member on least-privilege, API keys scoped instead of
*, and suspend/remove anyone who leaves.
Pro tips
Hard-won shortcuts that keep warm-up on track.
One API key per integration
Create one key per integration with only the scopes it needs — when one leaks you revoke that key without breaking the others.
Avoid full-access keys for read-only jobs
Never hand out a * (full-access) API key for a read-only job; contacts:read or campaigns:read is usually all a script needs.
Suspend before you remove
If you're unsure, suspend first — it's instantly reversible. Removal means re-inviting the person later.
Guard your account email
Password changes require a code emailed to your account address — keep access to that inbox, or you can't rotate your password.
Frequently asked questions
Does FirstSales support 2FA / MFA?
Not currently. Your account controls are an email-OTP-verified password change, least-privilege roles, scoped API keys, and member suspend/remove. Use a strong, unique password and tight roles.
How do I change my password?
Settings → Security → Change Password → get a 6-digit code by email → verify → set a new password (minimum 8 characters).
Can I log out other devices or see active sessions?
There's no session-management screen today. To cut off a person's access, suspend or remove them from the team.
How do I limit what an API key can do?
Pick specific scopes when you create it (read/write per resource). Avoid the * full-access scope unless you truly need it. Managing keys is admin/owner-only.
What's the difference between suspending and removing a member?
Suspend temporarily blocks access and is reversible (Unsuspend). Remove immediately revokes access; the person can be re-invited later.
Can a regular admin delete the owner?
No — the owner is protected; the suspend/remove menu doesn't appear for owners (or for yourself).
Ready to put this into practice?
Start your FirstSales trial and launch a warmed, authenticated mailbox in minutes.
Start for $1