Signing in & security

How passwordless sign-in works, signing out of every device, and how the CLI and agents authenticate as you.

Two ways in, no passwords

Every sign-in is one of:

  • Continue with GitHub — standard OAuth; we never see your GitHub credentials.
  • Email code — a 6-digit code sent to your email, valid for 10 minutes. Codes are single-use; if one expires, request another.

There is no password on your account — so there’s nothing to be phished, reused from another breach, or reset. If someone controls your email or GitHub, they control your Crawlie account, so keep two-factor on those.

Didn’t get a code?

Check spam for mail from notifications@crawlie.app, and give it a minute — codes occasionally take a moment. Requesting a new code invalidates the old one.

Signing out everywhere

Settings → Profile → Sign out of all devices revokes every active session — every browser, every machine. Use it if you signed in on a shared computer or anything feels off.

Other things acting as you

  • API keys authenticate scripts and agents as your account. Review and revoke them in Settings → API keys — see API keys.
  • The CLI and desktop app sign in through a device code you approve in the browser (crawlie login), using the same passwordless identity.
  • MCP clients (Claude, Cursor, …) connect via OAuth — you approve them in a normal Crawlie sign-in screen. See The hosted MCP server.

Still stuck? Email us — a human replies, usually within a day.