Loading
Everything on the Settings → Account tab, studio defaults, your identity, the sign-in surface (connected accounts, password, two-factor, active devices), and the step-up modal that gates every sensitive change. End of the page covers the danger zone and how account close actually works.
The Account tab is the only place to change who you are to Playloop and how you prove it. Display name, email, password, connected OAuth providers, two-factor authentication, and every active session on your account live in one scroll, with anchored sub-sections so deep-links land you exactly where you need to be.
Every change that touches sign-in is gated by step-up reverification · Playloop's own password prompt opens in front of the page when the call lands on the server with a session that's too old to authorize a sensitive write. Cancel the modal and the page resumes silently; verify and the original click re-fires automatically.
The Account tab renders these sections in order. Skip ahead with the anchors:
#sign-in-security), connected accounts, password, 2FA, active devices, sign out of every device.The #sign-in-security anchor is the canonical deep-link target for any in-product email or banner that wants to push the user to the authentication area, every verification-required email and in-app prompt lands here.
Cross-tenant isolation is enforced at the database, not just in application code. Every user-scoped table is protected by Row-Level Security policies that scope reads and writes to the authenticated caller. If a bug ever removed an in-code filter, the database would still return zero rows rather than another studio's data, defense in depth, not application discipline alone.
Tables without a direct owner column (insights, session assets, playtest keys, invites, handles) use join-based policies that walk through the parent row, so a query for another studio's rows still resolves to nothing. The full architectural detail is on /security.
Two fields, both used as defaults when you create a new game from /games:
Save runs through a server action; no step-up needed (these are workspace defaults, not identity changes).
Surfaced in this card:
Up to 80 characters. Shown across dashboards, reports, and exports. Editable inline, no step-up.
Renders as read-only or editable depending on whether you have a password set. See Email below for the two modes.
Renders only when an active gift window is set on your account. Shows the expiry date. Granted by Playloop, no card on file required during the window.
Read-only today. Renders even when zero so the surface doesn't feel like a phantom feature when the credit economy ships. Admin-adjusted from the admin app.
The email field flips between read-only and editable based on whether you have a self-managed sign-in method:
OAuth-only sign-in. The email is owned by your provider (Google today), editing it here wouldn't update anything the provider uses, so we don't pretend it does. Hint copy: "Comes from your sign-in account. Set a password below to manage it here."
You own the email independently of any OAuth provider. Click Change email → enter new address → we email a 6-digit code → verify → new email is promoted to primary.
Five sub-sections, all rendered by a single client component that hangs its own step-up provider so the custom modal is available to every sensitive write inside. Deep-link target: /settings/account#sign-in-security.
Lists every OAuth provider linked to your Playloop account. Google is the only provider wired up today; the layout accommodates more without code changes when they ship.
Click Connect Google, an OAuth round-trip kicks off. Step-up gated. Recorded in your audit log as “OAuth connected” with the provider name.
Click Disconnecton the provider row. Step-up gated. Recorded in your audit log as “OAuth disconnected.”
The Disconnect button refuses to leave you without any sign-in method. The rule:
You can disconnect a provider only if you also have a password set OR at least one other OAuth provider linked. If neither is true, the button is disabled and shows the rule on hover. The same rule is enforced server-side; the client check exists so the UX surfaces the reason before the click instead of after.
Renders as either Set password (OAuth-only users who never set one) or Change password (everyone else). Same form, same step-up gate, different audit kind.
Authenticator-app (TOTP), text-message (SMS) codes, plus single-use backup codes. The enrollment flow lives inline on the Security card, no hosted page or external redirect.
otpauth:// URI as a QR code (rendered client-side, never leaves your browser) plus the bare secret string as a fallback for users who can't scan. The secret has a Copy button.playloop-backup-codes.txt) / I've saved them. The backup code generation is recorded in your audit log (same row covers initial creation and regeneration).Disableon the enrolled row → confirmation prompt → step-up modal → TOTP is removed. Recorded in your audit log as “TOTP disabled.”
Once TOTP is on, the codes row exposes a Regenerate codesbutton. Confirmation dialog warns that the previous set stops working immediately. Step-up gated; recorded in your audit log as “backup codes regenerated.”
Backup codes are not retrievable after you close the panel. Lose them and your only recovery is Regenerate (which invalidates the set you lost). Each code works exactly once.
Prefer a texted code? On the Text message (SMS) two-factor row, click Enable SMS, enter your phone number, and confirm the 6-digit code we text you (step-up gated). At sign-in you can then choose Text message code as your second factor. Removetakes it off your account after a confirmation. Recorded in your audit log as “SMS two-factor enabled / disabled.”
SMS codes are available in the US & Canada only. Outside those regions, use the authenticator app, which works anywhere.
Sign in without a password using Touch ID, Face ID, a security key, or your phone. Passkeys are phishing-resistant, and the private key never leaves your device.
On the Passkeys card, click Add a passkey(step-up gated). Your browser shows its native prompt to create one with your device's biometrics or a security key. The new passkey appears in the list and the action is recorded in your audit log.
Each passkey lists its name plus when it was added and last used. Use the pencil to rename one so you can tell your devices apart. Remove deletes it after a confirmation (step-up gated). Removing a passkey is safe: your password and other sign-in methods keep working.
On the sign-in screen choose Sign in with a passkey, then pick the passkey for this site. No email or password required.
Every browser or device currently signed into Playloop. Current device pinned to the top, everything else sorted by last-active.
Chrome · macOS, etc.).Just now / 3m ago / 2h ago / Yesterday / 4d ago.Every non-current row exposes a Sign out button (red, ghost-style). Click runs through step-up and signs that one session out. The list reloads after success. Recorded in your audit log with the device + browser hints, so you can confirm later which device you kicked out.
The nuclear option. Revokes everyactive session including the one you're using right now. Use it if you suspect someone else has access or after recovering from a lost device.
/sign-in.Sensitive operations, rotating an API key, saving a BYOK key, changing your password, enrolling TOTP, disconnecting Google, saving a BYOK budget, revoking a session, require your session to have proven itself recently. When the server says the proof is stale, Playloop opens a styled reverification modal right in front of the page.
The BYOK key save and BYOK budget save flows have their own full write-ups (storage, decryption, monthly cap behaviour, cancellation UX) in /docs/ai-provider.
Step-up wraps every sensitive write, both identity-provider mutations (password change, TOTP enroll, OAuth connect/disconnect, primary-email change, session revocation) and Playloop server writes (API key rotation, BYOK key save/clear, BYOK budget change). One prompt covers both: if a write lands and the server says your session needs a fresh proof, the modal opens and the original action automatically retries after you verify.
The modal prompts you for whichever second factor you've enrolled in Settings → Sign-in & security: a TOTP code from your authenticator app, a one-time backup code, or a passkey. If you haven't enrolled a second factor yet, head to that page first, Enable 2FA, scan the QR with your authenticator, save the backup codes, then retry the action you were trying to perform.
Every sensitive change on the Account tab writes one row to your audit log, validated against a fixed allowlist of events. Clients can't forge entries for other users, and a logging hiccup never blocks the operation you just completed. Surfaced in-app via the audit log panel in Settings.
The table below covers the identityentries this page's sections fire. The full audit-log surface (BYOK key saves, BYOK budget changes, notification toggles, studio profile edits, session events, system events) lives in /docs/notifications · Audit log.
| Entry | Fires when | Supporting detail |
|---|---|---|
Email changed | You verified a new email address and promoted it to primary. | new email |
OAuth connected | You linked a new OAuth provider. | provider |
OAuth disconnected | You removed a linked OAuth provider. | provider |
Password set | You set a password for the first time. | – |
Password changed | You changed an existing password. | – |
TOTP enrolled | You verified a TOTP code and enrolled an authenticator app. | – |
TOTP disabled | You disabled TOTP. | – |
Backup codes regenerated | Initial backup-code generation or regenerate flow. | – |
Session revoked | A specific non-current device session was signed out. | device, browser |
All sessions revoked | Sign-out-everywhere succeeded. | count |
Below Sign-in & Security the Account tab surfaces three entry points that don't require step-up to view, only to act:
Public Tester Key (SDK ingest) + Management Key (server- side admin). Show, copy, rotate. Rotation is step-up gated. Free for every account — every tier can mint keys and call /api/v1/*; paid tiers get higher rate limits.
Free for every account. Read-only management-API access for Claude Desktop, Cursor, or any MCP-aware AI agent. Rate-limited per key.
One-click open into the security audit log: sign-ins, key rotations, BYO key writes, identity changes. Check here first if something feels off.
Download a JSON copy of every row attributed to your account. One export per 24 hours. Step-up gated on request. Audit-log entries are included for the last 90 days; credential material (password hashes, API key hashes, encrypted BYO AI keys) is stripped from the user row before serialization.
Storage usage, Managed AI quota, and Daily AI cost meters live on /settings/usage and the Billing tab , not here. The Account tab is identity + access; the meters are spend.
Pinned to the bottom of the Account tab, explicitly not at the page footer, so destructive identity actions sit next to the rest of your identity surface.
Where the BYOK save / clear and the budget save sit end-to-end. Storage, encryption, the cap behaviour, step-up cancellation UX, audit fields.
The four notification toggles, the bundle + weekly digest, and every audit kind that lands on a healthy account, identity, BYOK, studio, sessions, system.
Per-game tuning knobs, KPI weighting, drop patterns, segment splits, the rollup tables, the auto-analyze switch. The consumer of your AI provider config.
Account-close, billing, and key rotation aren't reachable from any API key, only your signed-in dashboard session unlocks them. The API ref documents the full power separation.
These docs are evolving. Playloop is in active development ahead of launch, so APIs and details may change as we polish.