Profile & Security
Manage your account profile, authentication settings, and active sessions.
Overview
The Profile & Security page lets you manage your personal information, change your password, enable two-factor authentication, connect social login providers, and review active sessions. Access it by clicking your user avatar in the top-right corner and selecting My Account.
Updating Your Profile
Your profile information is displayed in the Account Information card. Click Edit to update the following fields:
| Field | Description |
|---|---|
| First Name / Last Name | Your display name shown across the platform. |
| Your login email address. | |
| Job Title | Your role or position (optional). |
| Mobile Phone | Your mobile phone number. |
| Business Phone | Your business phone number. |
| Timezone | Your local timezone for display purposes. |
Your avatar can be updated separately from the avatar section at the top of the page. After making changes, click Save to update your profile.
Changing Your Password
Open password settings
On the Profile & Security page, locate the Password section.
Enter current and new password
Provide your current password for verification, then enter your new password. Passwords must meet the minimum complexity requirements (length, mixed case, numbers).
Save the change
Click Change Password to update. You will remain logged in on the current session.
Two-Factor Authentication
Two-factor authentication (2FA) adds a second layer of security to your account. 2FA is configured at the organization level by your administrator. Xelon HQ supports two 2FA methods: SMS OTP and TOTP (authenticator apps). The Two-factor authentication & Security section appears on your profile page when your organization has 2FA enabled.
Enable 2FA on all accounts, especially those with administrative privileges, to protect against unauthorized access.
SMS OTP
Receive one-time passwords via SMS to your registered phone number.
Enable SMS 2FA
In the Two-Factor Authentication section, select SMS and enter your phone number.
Verify your phone
A verification code will be sent to your phone. Enter the code to confirm your number.
Use SMS OTP at login
After entering your password, you will be prompted to enter the SMS code sent to your phone.
TOTP (Authenticator App)
Use a time-based one-time password app such as Google Authenticator, Authy, or 1Password for offline 2FA codes.
Enable TOTP
In the Two-Factor Authentication section, select Authenticator App. A QR code will be displayed.
Scan the QR code
Open your authenticator app and scan the QR code. Alternatively, you can manually enter the setup key shown below the QR code.
Validate the setup
Enter the 6-digit code from your authenticator app to confirm that TOTP is correctly configured.
Save backup codes
After validation, backup recovery codes are displayed. Store these in a secure location. Each code can be used once if you lose access to your authenticator app.
Backup codes are the only way to recover access if you lose your authenticator device. Store them in a password manager or secure offline location.
Resetting 2FA
If you need to change your 2FA method or device, disable the current 2FA from the security settings and set it up again. You will need your current 2FA code or a backup code to disable 2FA. If you have lost access to all recovery methods, contact your organization administrator or Xelon support.
Quick Login
The Quick Login section lets you connect third-party authentication providers for single sign-on to your account.
| Provider | Description |
|---|---|
| Sign in using your Google account. Click Connect and authorize the integration. | |
| GitHub | Sign in using your GitHub account. Click Connect and authorize the integration. |
To disconnect a social provider, click the Disconnect button next to the provider name.
Active Sessions
Active Sessions is managed at the organization level. To view and manage sessions, navigate to Manage My Organization in the sidebar and click the Active sessions tab.
The Active Sessions page shows:
- Session Duration settings: Control how long user sessions remain active before requiring re-authentication (1, 7, 14, or 30 days).
- Active Sessions: All currently active user sessions, showing the user name, IP address, user agent, last activity time, and expiration time.
- Expired Sessions: Recently expired or manually terminated sessions.
To terminate an active session, click Expire now next to the session entry. The user on that device will be logged out.
Regularly review active sessions. If you see an unfamiliar session, expire it immediately and change the affected user's password.
Service Tokens
Service tokens allow external applications and scripts to authenticate with the Xelon HQ API without using your personal credentials. The Service Tokens section appears on the My Account page when you have the allowManageServiceTokens permission.
Creating a Service Token
Open the form
On the My Account page, find the Service Tokens card in the right sidebar and click Add Service.
Configure the token
In the New Service Token dialog, fill in:
- Service Name: A descriptive name for the token (e.g., "CI/CD Pipeline" or "Monitoring Script").
- Related Organization: Select the organization this token will operate in.
- IP: Optionally restrict the token to a specific IP address. Click Add current IP to auto-fill your current address.
The service token inherits all permissions from your user account. It can perform the same actions you can within the selected organization.
Save the token
Click Create. A dialog displays the generated token and Client ID. Click Copy Token and Copy Client Id to save them.
The token value is shown only once. If you lose it, you must delete the token and create a new one.
Using a Service Token
Include the token in the Authorization header of your API requests:
Authorization: Bearer YOUR_SERVICE_TOKENFor IP range-based access, also include the Client ID header:
X-User-Id: YOUR_CLIENT_IDSee the API Reference for endpoint documentation.
Managing Tokens
Existing tokens are shown in the Service Tokens table with their name, related organization, and IP. To delete a token, click Delete Service and confirm the action. This is irreversible — any application using the token will immediately lose access.