Where to find it
/admin/settings/security — accessible from the sidebar under Settings → Security.
Changing your password
- Enter your current password (to confirm it’s really you).
- Enter your new password (at least 8 characters, mix of letters and numbers).
- Re-enter the new password to confirm.
- Click Update Password.
Choosing a strong password
- At least 12 characters. Longer is better — a 12-character password is roughly 100x more resistant to brute-force attacks than an 8-character one.
- Mix character types. Include uppercase, lowercase, numbers, and at least one symbol.
- Don’t reuse passwords from other sites. If another site is breached, attackers will try the same password on AppointFlow.
- Use a password manager (1Password, Bitwarden, etc.). Random passwords stored in a manager are much safer than memorable passwords.
What to do if you forget your password
Visitappointflow.online/forgot-password, enter your email, and click Send Reset Link. We email you a link that lets you set a new password — no need to remember the old one.
The reset link is valid for 1 hour and can only be used once.
Two-factor authentication (2FA)
Not currently supported. We’re planning to add 2FA in a future update — likely TOTP-based (Google Authenticator, Authy, etc.).Session management
We don’t currently expose a “log out all sessions” button beyond the password-change flow. If you suspect your account is compromised, change your password immediately — this invalidates all existing JWT sessions.What we do on our end
- Passwords are hashed with bcrypt. Even our staff can’t see your password.
- Sessions use NextAuth JWT with HTTP-only secure cookies.
- Rate limiting on login prevents brute-force attempts.
- All admin pages run over HTTPS in production.
- Audit log captures every change — including failed login attempts in some cases.
Reporting a security issue
If you discover a vulnerability in AppointFlow, please emailsecurity@appointflow.online rather than posting publicly. We aim to respond within 48 hours.