> ## Documentation Index
> Fetch the complete documentation index at: https://docs.voucherify.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Account security
> Learn how to protect your Voucherify account using authentication options, access controls, and monitoring tools
Voucherify provides tools that help you protect your account and monitor important activity. Some settings apply only to your user account, while others can be enforced for the whole team.
You can manage security settings in two places:
* **My profile** > **Security** for personal settings
* **Team settings** > **Security** for account-level rules (account owner only)
## Security checklist
To improve the security of your Voucherify account, consider enabling the following features:
* Enable **two-factor authentication (2FA)** for all users
* Configure **SAML single sign-on (SSO)** with your identity provider
* Review **user roles and permissions**
* Monitor **account activity logs**
* Set **API usage threshold alerts**
* Enable **webhook failure notifications**
These features help prevent unauthorized access and allow your team to react quickly to security issues.
## Two-factor authentication
Two-factor authentication (2FA) adds an extra layer of security to the login process. In addition to your password, you must confirm your identity using another verification method.
### Enforce two-factor authentication for the team
Only the **account owner** can enforce two-factor authentication for all users.
To enable enforcement:
1. Go to **Team settings** and open the **Security** tab.
2. Turn on **Enforce two-factor authentication**.
3. Click a start date or select **Now**.
4. Save the changes.
After enforcement, each user must set up two-factor authentication during their next login.
### Set up two-factor authentication for your account
Each user configures two-factor authentication in **My profile > Security**.
Voucherify supports the following methods:
* Google Authenticator: Use the Google Authenticator app on your mobile device. Scan the QR code or enter the code manually. The app generates a verification code for each login.
* SMS codes: Provide your phone number to receive a one-time verification code by text message each time you log in.
* Backup codes: Voucherify generates ten one-time backup codes. Store them in a safe place and use them only if you cannot access your phone.
Backup codes or SMS codes alone are less secure. Voucherify recommends using Google Authenticator as your main method.
## Password management
You can change your password at any time.
To update your password:
1. Go to **My profile** > **Security**.
2. Click **Change password**.
3. Enter your current password and a new password.
4. Save the change.
You receive an email notification whenever your password is changed.
## Single sign-on with SAML
SAML single sign-on (SSO) allows users to log in using a company identity provider instead of a Voucherify password.
Voucherify supports providers such as Azure, Auth0, OneLogin, Okta, and PingIdentity.
### How SAML login works
Before users can log in with SAML:
* The user must be added to the SAML application in the identity provider.
* The same user must be invited to the Voucherify dashboard using the **same email address**.
After configuration:
* Users can log in from the identity provider dashboard or a SAML login page.
* The email address must match the email used in Voucherify.
* Users are not automatically synced from the identity provider to Voucherify. Each user must be created in Voucherify separately.
If SAML is enforced, users cannot log in using email and password.
### Enable SAML authentication
To enable SAML:
1. Create a SAML application in your identity provider.
2. Copy the **Identity provider entry point URL** and the certificate.
3. Go to **Team settings** > **Security**.
4. Enable SAML and paste the required values.
5. Save the configuration.
Voucherify generates a **Callback URL**. Add this URL to your identity provider configuration.
Always test SAML login before enforcing it. Enforcing SAML without testing may block user access.
### Advanced SAML options
For advanced security setups, you can:
* Sign SAML requests.
* Encrypt or decrypt SAML responses.
These options are available for specific integration needs.
## Provider-specific configuration
Follow the procedures of respective providers.
To enable Microsoft Azure (Entra ID):
1. Open **Microsoft Entra admin center**.
2. Go to **Applications** > **Enterprise applications**.
3. Select **New application**.
4. Click **Microsoft Entra SAML Toolkit**.
5. Name the application and create it.
6. Go to **Single sign-on**.
7. Select **SAML**.
8. Edit **Basic SAML Configuration**.
9. Set **Identifier (Entity ID)** to your chosen value.
10. Add a placeholder **Reply URL**.
11. Add a placeholder **Sign-on URL**.
12. Save the configuration.
13. Copy the **Login URL**.
14. In Voucherify, go to **Team settings** > **Security**.
15. Enable SAML authentication.
16. Paste the Login URL into **Identity provider entry point URL**.
17. Download the **Base64 certificate** from Azure.
18. In Voucherify, choose **Add certificate**.
19. Paste the certificate.
20. Set **Issuer** to the same Entity ID.
21. Save the configuration.
22. Copy the **Callback URL** from Voucherify.
23. Return to Azure and edit **Basic SAML Configuration**.
24. Replace the placeholder Reply and Sign-on URLs with the Callback URL.
25. Save changes.
26. Assign users or groups in **Users and Groups**.
27. Create matching users in Voucherify with the same email addresses.
28. Users log in via the Azure application.
To enable Auth0:
1. Log in to Auth0.
2. Go to **Applications**.
3. Select **Create application**.
4. Enter a name.
5. Click **Regular Web Application**.
6. Create the application.
7. Open **Settings**.
8. Scroll down and open **Advanced settings**.
9. Go to the **Endpoints** tab.
10. Copy the **SAML protocol URL**.
11. In Voucherify, go to **Team settings** > **Security**.
12. Enable SAML authentication.
13. Paste the SAML protocol URL into **Identity provider entry point URL**.
14. In Auth0, open the **Certificates** tab.
15. Copy the **Signing certificate**.
16. In Voucherify, choose **Add certificate**.
17. Paste the certificate and save.
18. Save the SAML configuration in Voucherify.
19. Copy the **Callback URL**.
20. In Auth0, go to **Settings**.
21. Add the Callback URL to **Allowed callback URLs**.
22. Save changes.
23. Open the **Addons** tab.
24. Enable **SAML2 Web App**.
25. Save changes.
26. Users log in using the Callback URL.
To enable OneLogin:
1. Log in to OneLogin.
2. Go to **Applications**.
3. Select **Add app**.
4. Search for **SAML Custom Connector (Advanced)**.
5. Add the application.
6. (Optional) Set name, icon, and description.
7. Save and go to **Configuration**.
8. Set SAML encryption to **AES-128-CBC**.
9. Save changes.
10. Go to **SSO**.
11. Copy **SAML 2.0 Endpoint (HTTP)**.
12. In Voucherify, go to **Team settings** > **Security**.
13. Enable SAML authentication.
14. Paste the endpoint URL as **Identity provider entry point URL**.
15. Save.
16. In OneLogin, open **Certificate**.
17. Copy the **X.509 certificate**.
18. In Voucherify, add the certificate and save.
19. Save SAML configuration.
20. Copy the **Callback URL**.
21. In OneLogin, paste the URL into **ACS URL**.
22. Save changes.
23. Users log in using the Callback URL.
To enable Okta:
1. Log in to Okta.
2. Go to **Applications**.
3. Select **Create App Integration**.
4. Click **SAML 2.0**.
5. Click **Next**.
6. Enter application name and optional logo.
7. Click **Next**.
8. In **Configure SAML**, enter a placeholder Single Sign-On URL.
9. Set **Audience URI (SP Entity ID)**.
10. Set **Name ID format** to EmailAddress.
11. Set **Application username** to Email.
12. Finish setup.
13. Open **SAML Signing Certificates**.
14. View SAML setup instructions.
15. Copy **Identity provider SSO URL**.
16. In Voucherify, enable SAML authentication.
17. Paste the SSO URL as **Entry point URL**.
18. Copy the **X.509 certificate**.
19. Add the certificate in Voucherify.
20. Set **Audience** to match Okta value.
21. Save configuration.
22. Copy the **Callback URL**.
23. Edit SAML settings in Okta.
24. Replace the placeholder URL with the Callback URL.
25. Assign users to the application.
26. Users log in using the Callback URL.
To enable PingID:
1. Log in to PingID.
2. Go to **Applications**.
3. Select **Add new application**.
4. Set application name.
5. Click **SAML application**.
6. Select **Manual configuration**.
7. Set placeholder **ACS URL**.
8. Set **Entity ID**.
9. Download the **X.509 certificate**.
10. Copy **Initiate SSO URL**.
11. In Voucherify, enable SAML authentication.
12. Paste the Initiate SSO URL as **Entry point URL**.
13. Set **Audience**.
14. Add the certificate.
15. Save configuration.
16. Copy the **Callback URL**.
17. Return to PingID configuration.
18. Replace placeholder ACS URL with Callback URL.
19. Edit **Attribute mappings**.
20. Map subject to user ID or username.
21. Add email attribute mapping.
22. Mark email as required.
23. Enable the application.
24. Create matching users in PingID and Voucherify.
25. Test login using the Callback URL.
## Activity logs
Logs help you review account and project activity.
### Account activity logs
Account activity logs are available in **My profile** > **Security**.
They include:
* Login events.
* Password changes.
* Updates to security settings.
### Project audit logs
Project-level activity is available in the [Audit log](/analyze/audit-logs) section of the dashboard.
Audit logs show:
* API requests and responses.
* Request source.
* Related objects such as campaigns or orders.
These logs help track technical activity and data changes.
## Monitoring and alerts
Voucherify provides alerts that help you monitor account usage and important events. Alerts do not block access, but they help you react quickly when attention is needed.
You can manage alerts in the **Notification center**.
### User notifications
These settings apply only to the logged-in user.
User notifications relate to project activity and background processes.
You can manage them in **Notifications (sidebar)** > **Go to Notification center** > **User settings**.
For example, you can set up notifications for:
* Campaign updates.
* Voucher generation results.
* Imports and exports.
* Background tasks.
Each notification has predefined delivery channels:
* **In-app notifications**
* **Email notifications**
* **In-app and email notifications**
You can turn delivery channels on or off with **Show details**.
### Account-level notifications
These settings apply to the whole account and are managed by the account owner.
Account-level notifications relate to system limits and technical delivery.
You can manage them in **Notifications (sidebar)** > **Go to Notification center** > **Account settings**.
Available notifications include:
* **Webhook delivery failures**: Alerts when Voucherify cannot successfully deliver a webhook. This helps you detect integration problems and fix failing endpoints.
* **API usage thresholds**: Alerts when your API usage approaches a defined limit. Setting thresholds helps you react early and avoid reaching account limits that could temporarily block API requests.
* **Message limits**: Alerts when your account approaches configured messaging limits.
Most account-level notifications support **in-app and email delivery**. Some notifications require at least one email address to be set.
Account-level notifications are informational. They do not block API calls or user access.
## Related features
Account security can be combined with the following features.
Control who can access your account, assign roles, and manage permissions for team members.
Read [members and roles](/manage/members-and-roles) to learn more.
Go to [Project settings](/manage/project-settings) to manage API keys, webhooks, brand details and to check usage limits.