Recovery codes are your backup plan if you lose your phone or can't access your authenticator app. We generate 8 single-use codes when you turn on two-factor authentication, and each one can sign you in once.
Where to find them
We show your recovery codes once, on the screen right after you finish enrolling in two-factor authentication. After that, we can't show them to you again — they're hashed in our database, the same way passwords are.
If you didn't save them at enrollment time, that's fine — just regenerate a fresh set.
How to save them
Pick whichever fits your habits:
- Password manager — paste them into 1Password, Bitwarden, the iCloud Keychain, etc. Most password managers have a dedicated "secure note" field.
- Print them — old-school but reliable. Stick the printout in a drawer or your wallet.
- Write them down — same idea. Just put them somewhere you'll remember.
What you don't want to do: leave them in plain text in your email, in a Slack message, or in cloud storage that doesn't require a separate sign-in. Recovery codes bypass two-factor — treat them like a backup of your password.
Using a recovery code to sign in
When the portal asks for your two-factor code, you can paste a recovery code in the same field instead. We accept it with or without dashes — abcd-efgh-ij and abcdefghij both work.
Each code works exactly once. After you use it, it's burned — you can't use the same code twice. That's by design: if a code is leaked, it can only ever be used once before it's worthless.
Regenerating codes
If you lose your saved codes, used too many of them, or just want a clean set, you can regenerate from Account → Security.
- We'll ask you to confirm with a current code (TOTP from your authenticator, or one of your remaining recovery codes).
- The old set is invalidated — even unused codes from the previous batch stop working.
- A fresh set of 8 is shown to you. Save them.
Lost both authenticator and recovery codes
If you lose your phone and you didn't save your recovery codes, you can't sign in on your own. Open a ticket with our support team — we'll verify your identity through other means (invoice history, payment method last-4, account details) and reset two-factor for you.
This is the worst-case scenario, and it's why saving recovery codes is worth the 30 seconds when you enroll.
How they're stored
Recovery codes go through bcrypt hashing before they're written to our database, the same hash function used for passwords. Even with full database access, an attacker can't read your codes back — they can only verify when you submit one. We chose this on purpose: the codes are sensitive, and their plaintext shouldn't exist anywhere on our infrastructure once you've saved them.
