'%20filter='url(%23b)'%20transform='translate(0%20-286)'/%3e%3cpath%20d='M1636.5%20147c-123.436%200-223.5%20102.975-223.5%20230s100.064%20230%20223.5%20230S1860%20504.025%201860%20377c-.143-126.964-100.124-229.853-223.5-230Zm107.16%20308.341c-1.892%202.323-4.973%203.231-7.78%202.295l-98.896-32.908-98.896%2032.908c-2.807.933-5.884.022-7.774-2.3-1.89-2.32-2.212-5.587-.815-8.25l101.128-192.49c1.376-2.238%203.776-3.596%206.357-3.596%202.58%200%204.981%201.358%206.357%203.596l101.128%20192.49c1.401%202.663%201.08%205.932-.81%208.255Z'%20fill='url(%23c)'%20filter='url(%23d)'%20transform='translate(0%20-286)'/%3e%3c/g%3e%3c/svg%3e)
Accounts — registration, sign-in, and account security
Your account is your personal identity in Loopback. It is separate from organizations (tenants) and workspaces (environments). This page covers everything a user typically does at account scope.
Registration
When self-service registration is enabled for the deployment, a new user can create an account by providing:
- First and last name
- Password (length limits apply)
If registration is disabled, you receive credentials or an invite flow from your operator.
After registration you verify email (deployment-specific) before full access.
Sign-in
Standard email + password login establishes a session. Additional mechanisms may include:
- Two-factor authentication (2FA) — TOTP or similar, if you enable it on your account.
- WebAuthn / security keys — passwordless or second factor, depending on configuration.
Failed login and recovery flows should respect rate limits your operator configures.
Account profile and settings
Typical self-service account capabilities (exact UI labels vary):
- Update name or contact details tied to the account.
- Manage password changes.
- Enable or disable 2FA and register WebAuthn devices.
- Create or revoke account API keys — long-lived tokens for automation that impersonates your user (scripts, CI) subject to the same organization permissions you already have.
Important: An API key is not a workspace agent token. Workspace agent tokens authorize machines inside infrastructure; account API keys authorize API calls as you.
Recovery
Password recovery or email reset flows exist for locked-out users. Treat recovery links as single-use and time-limited.
Multi-organization reality
One account can hold many memberships:
- You might be owner in your startup org and read-only in a partner org.
- Switching “context” in the UI is switching which organization’s projects you act on.
Permissions are always evaluated as (account, organization[, project[, workspace]]) — see Access control.
What accounts cannot do alone
Without a membership, an account cannot see any organization data.
Without organization-level permissions, an account cannot create projects or see billing.