ACCOUNT
Account & sessions.
Inspect every active sign-in for your account and revoke any
you don't recognise. Sessions are stored as a SHA-256 hash of
a 256-bit random id; the cleartext lives only in your
HttpOnly cookie. Revoking a row sets revoked_at
in the database — the row stays for the audit log.
Loading sessions…
You're not signed in. Sign in to manage your account.
Could not load sessions. Reload to retry.
Two-factor authentication
—
Add a TOTP authenticator (Google Authenticator, 1Password,
Aegis, etc.) so a leaked email session alone can't sign in
as you. The link in your magic-link email gets you a
half-authenticated session; clearing the second factor at
/login/2fa finishes the sign-in.
Scan this URI with an authenticator app, or paste the secret manually. After your app shows a 6-digit code, enter it below to confirm enrollment.
Provisioning URI
— Secret (manual entry)
— Two-factor is enabled (since ). Disabling requires a current code so a stolen session cookie can't unilaterally remove the second factor.
Recovery codes
— Save these now. Each code works
exactly once at the
/login/2fa challenge. They're shown
here a single time — close this tab without
saving them and you're stuck on the operator-
rescue path. Stash them in a password manager
(separate from your TOTP seed), or print and
store somewhere offline.
— of
10 recovery
codes remaining. Single-use — each one works once at
the /login/2fa challenge then expires.
Running low or unsure where you saved them? Regenerate
to invalidate all current codes and get a fresh set.
You don't have any recovery codes yet — this can happen if you enrolled TOTP before recovery codes shipped (v0.100.0). Generate a set now so a lost authenticator doesn't lock you out.
Subscription
—Checking subscription status…
You're on the — supporter plan. Stripe's billing portal handles cancellation, payment-method updates, and past invoices.
Stripe owns the entire portal UI; you'll be redirected
there and bounced back to /account when
you're done.
No active subscription. The supporter perks (bundle builder, 5 private lists, 200 daily pulls, donor-wall opt-in) need a recurring plan — chip in once or subscribe at /supporter.
Email notifications
Transactional emails about your community-scripts: when a moderator approves, rejects, verifies, or unverifies your script; when an edit-request you filed is decided; when an operator transfers ownership of a script to you.
Sign-in (magic-link) emails are auth-essential and stay on regardless of this setting.
Community scripts
SUPPORTER
Submit RouterOS scripts to the
community catalogue. Moderator-
reviewed; once approved, your script is pullable via
/tool fetch at a stable URL. Read-only
post-approval — only mods can take it down (you can
request deletion via mod review).
API keys
—Loading keys…
API keys are a supporter perk. Bundle URLs, private lists, and the 200/day pull cap will need a key once those features ship. Subscribe at /supporter to mint one.
Keys identify your RouterOS pulls as supporter-tier —
200 pulls per day per user, shared across every key on
your account (minting more keys can't game the cap).
Send the cleartext as
Authorization: Bearer mtkf_…; the v6/v7
/tool fetch snippet is below.
The cleartext is shown once at
creation — copy it immediately; we only store the hash.
New key — copy now:
Once you dismiss this banner the cleartext is gone forever. We didn't store it. The snippet below is pre-filled with this key — copy it now or rebuild from the template under "Using a key on RouterOS" with your saved cleartext.
Ready-to-paste RouterOS snippet
—
Using a key on RouterOS
RouterOS v6 + v7 both support the
http-header-field parameter on
/tool fetch. Swap
mtkf_<paste-your-key> for your
saved cleartext and
<your-list-slug> for the slug from
/lists.
v6 routers swap the URL suffix from
.rsc to .v6.rsc.
Each request to /api/lists/<slug>.<fmt>
with a valid bearer counts against the 200/day pool
(resets at 00:00 UTC). The same key on your laptop
also works for one-shot
curl -H "Authorization: Bearer mtkf_…"
tests — see
GET /api/keys/whoami for a quick
"is this key live?" check.
See /account/usage for
today's count and a 7-day per-key trend.
| Label | Prefix | Scope | Created | Last used | Action |
|---|
Donor wall
—Checking donor-wall status…
Optional. Set a display name to appear on the public /transparency donor wall once a moderator approves it. The name only renders publicly while you have an active subscription — cancel/lapse and the name drops on the next aggregation pass; re-subscribe and it comes back. Names go through moderation on every change to keep slurs / impersonation / vandalism off the page.
Status: —.
Active sessions
| Session | Last activity | Started | Expires | Action |
|---|
We never store cleartext IPs. The hashed columns
(ip_hash, ua_hash) are kept solely for
after-the-fact correlation by an admin during incident
response. Friendly-label decoding (e.g. "Chrome on macOS") may
land in a future schema bump.