Signing in & security
How passwordless sign-in works, signing out of every device, and how the CLI and agents authenticate as you.
Two ways in, no passwords
Every sign-in is one of:
- Continue with GitHub — standard OAuth; we never see your GitHub credentials.
- Email code — a 6-digit code sent to your email, valid for 10 minutes. Codes are single-use; if one expires, request another.
There is no password on your account — so there’s nothing to be phished, reused from another breach, or reset. If someone controls your email or GitHub, they control your Crawlie account, so keep two-factor on those.
Didn’t get a code?
Check spam for mail from notifications@crawlie.app, and give it a minute — codes occasionally take a moment. Requesting a new code invalidates the old one.
Signing out everywhere
Settings → Profile → Sign out of all devices revokes every active session — every browser, every machine. Use it if you signed in on a shared computer or anything feels off.
Other things acting as you
- API keys authenticate scripts and agents as your account. Review and revoke them in Settings → API keys — see API keys.
- The CLI and desktop app sign in through a device code you approve in the browser
(
crawlie login), using the same passwordless identity. - MCP clients (Claude, Cursor, …) connect via OAuth — you approve them in a normal Crawlie sign-in screen. See The hosted MCP server.
Still stuck? Email us — a human replies, usually within a day.