Authentication

Authentication establishes who you are before the platform decides what you can do. Mirox combines a secure login, optional two-factor protection, full session visibility, and machine-to-machine API tokens so that only you — and the integrations you explicitly authorize — can reach your data.

You log in with your username or email plus your password. A successful login starts a session that keeps you signed in across the web app without re-entering credentials on every request.

Invite-only registration — In production, new accounts are created through an invitation. If you do not have an invitation, you can submit an access request and the organization's operators are notified to invite you.
Email verification — New accounts confirm their address through a verification link before they become active. Accounts created from an invitation are pre-approved.
Password reset — You can request a reset link at any time. Completing a reset signs out every active session and notifies you by email.
Sign-in alerts — You receive an email when a login arrives from a new device or a new location, and when a sign-in attempt fails.

Info

Mirox never tells an outsider whether an email address has an account. Password-reset and access-request responses look identical whether or not the address exists, so the login surface leaks no account information.

Two-Factor Authentication

Two-factor authentication (2FA) adds a second proof of identity on top of your password using a time-based one-time password (TOTP) from an authenticator app.

Setup — Begin setup to receive a QR code and a secret to scan into your authenticator app. 2FA only becomes active after you confirm a first code, so a misconfigured app can never lock you out.
Login enforcement — When 2FA is active, signing in asks for a current 6-digit code before the session is granted. The code window tolerates the adjacent intervals, so a code that ticks over mid-entry still works.
Disable / check — You can disable 2FA with a valid code, or run a no-change "check my code" verification from your profile to confirm your app is in sync.

Backup Code

When you enable 2FA you receive one single 8-character backup code. Use it if you lose access to your authenticator app.

The backup code is single-use. As soon as you use it, a fresh backup code is issued automatically — record the new one.
You can regenerate the backup code at any time (with a valid 2FA code), which invalidates the previous one.
If you sign in with the backup code through the dedicated recovery flow, 2FA is also turned off so you can re-establish it cleanly.

Warning

You only ever hold one backup code at a time — this is not a printable list of ten. Store the current code somewhere safe and update your record whenever a new one is issued.

Session Management

Every device you sign in from creates a session, and you stay in control of all of them.

See your sessions — View every active session with its location (city / country), browser, operating system, and which one is your current session.
Sign out remotely — Revoke any other session individually, or revoke all other sessions at once while keeping your current one. Revoked sessions stop working immediately.
Self-service identity — Change your password, username, or email from your profile. Changing your password signs out your other sessions; changing your email keeps the old address active until the new one is verified.

API Tokens

For integrations and scripts that talk to Mirox without a browser, you create API tokens — long-lived credentials scoped to a permission group rather than to your full account.

Scoped access — Each token is bound to a permission group so it can do only what that group allows, never more than your own access.
Rotation — Rotate a token to issue a fresh secret and retire the old one instantly, with no need to delete and recreate the integration.
Visibility — List your tokens to see their permission group, creation and expiry dates, and where they were last used.

Creating or rotating a token requires an interactive (logged-in) session — a token can never be used to mint or rotate another token. See API Tokens for the available permission groups, limits, and usage details.

Rate Limiting

To keep the platform stable and protect accounts from brute-force attempts, sign-in and other sensitive endpoints (login, registration, access requests, password reset, and session verification) are rate-limited per user and per public IP address.

Warning

When you exceed the limit, the request returns an HTTP 429 (Too Many Requests) response and the source is temporarily backed off. Build exponential backoff into any automated integration so a burst of requests does not trigger a lockout.

Administrative Access

In rare support situations, a Mirox platform administrator may temporarily access your account to investigate an issue on your behalf.

This requires a logged reason and is recorded in a dedicated audit trail.
Only standard user accounts can be accessed this way — administrators cannot do so to one another.
The access is short-lived and ends automatically; while it is active, a banner makes the access visible.

Working with the Permission System

Authentication answers who you are; the permission system answers what you can reach. The two work together on every request:

Authentication establishes your identity from your session or API token.
The permission system evaluates what that identity is allowed to do.
Every operation is checked against your permissions before it runs.

This separation keeps access control flexible without weakening the guarantee that you only ever see your own resources.

Permission System — how roles and resource access are evaluated once you are signed in
API Tokens — scoped, rotatable credentials for machine-to-machine access
Audit Log — the immutable record of access to your plants and devices
Invitations — how new users and organizations are onboarded