Security

This page covers the security controls available to your account: password change, multi-factor authentication, OAuth app management, account deletion, and data export rights.

Password change

Open Settings → Security → Change password.

1. Enter your current password
2. Enter the new password twice (8–64 characters, must contain at least one letter and one digit)
3. Click Update

After a successful change:

• All existing sessions are signed out (you’ll need to log in again on every device)
• All issued OAuth refresh tokens are revoked (re-authorize Claude Desktop / Cursor / Moraya)
• API Keys are not affected — they continue to work; rotate them manually if compromised

Password reset (forgot password)

If you can’t sign in:

1. Go to Sign in and click Forgot password
2. Enter your email
3. A 6-digit reset code arrives within 30 seconds (single-use, 5-minute expiry)
4. Enter the code, then set the new password

Rate limited

Reset requests are rate-limited to 5 per hour per email and 50 per day per IP. Excessive failed attempts trigger automatic lockout per the 4-layer email anti-abuse policy.

Login security alerts

Picora automatically emails you when:

• A new device / browser logs in successfully
• 5 failed login attempts within 5 minutes from the same IP (account auto-locked for 15 minutes)
• Password is changed
• A new OAuth app is authorized

These alerts cannot be disabled.

Authorized OAuth apps (v0.14.0)

If you’ve connected Picora to AI tools via HTTP OAuth MCP, each authorization shows up under Settings → Authorized apps.

For each connection you can see:

• App name (e.g., “Claude Desktop on MacBook Pro”)
• Granted scopes (e.g., media:write, docs:read)
• Last activity timestamp
• IP address of last use

Click Revoke to invalidate that app’s tokens. The AI tool will be prompted to re-authorize next time it tries to access Picora.

Lost device

If you lost a device, click Revoke all OAuth apps to invalidate every connected tool at once. Then re-authorize them on devices you still control.

Account deletion

Permanent and irreversible

Account deletion is permanent. All resources (images, videos, audio, Markdown documents), API Keys, billing history, and OAuth grants are removed. This complies with GDPR Article 17 (right to erasure) and PIPL (个人信息保护法 / personal information protection law).

To delete your account:

1. Go to Settings → Security → Delete account
2. Confirm the warning by typing DELETE (English) or 删除 (Chinese)
3. Receive a 6-digit confirmation code by email
4. Enter the code

Within 24 hours:

• All your resources are deleted from object storage
• Database rows are removed (user, identities, refresh tokens, API keys)
• OAuth refresh tokens are revoked
• Billing data is retained for 5 years (legal compliance), but de-identified

If you have an active subscription, cancel it first — deletion does not auto-refund. See Subscription management.

Data export

Picora supports your right to receive a copy of your data:

1. Go to Settings → Security → Export my data
2. A background job assembles a ZIP containing:
   • User profile JSON
   • All API Keys metadata (key hashes only — original tokens are not recoverable)
   • All resources (images, videos, audio, Markdown) with metadata
   • Billing history (last 5 years)
3. You receive a download link by email when ready (typically within 24 hours)
4. The download link expires in 7 days

The exported ZIP is suitable for migrating to another service or for personal archive.

Multi-factor authentication

In progress

TOTP-based MFA is on the roadmap for v0.20+. Currently, Picora relies on:

• Strong password requirements
• Email-based 2nd factor for sensitive actions (password reset, email change, account deletion)
• IP / device-based anomaly detection alerts

Related

• Profile — change email, language, notifications
• API Keys — rotation, scopes
• Subscription management — cancel before deletion