Skip to content

Access control

Access control in Gamemanage works at two layers. Your account is who you are, protected by login methods and optional 2FA. Per-server roles are what each account can do once they are in. This page covers both.

Signing in

You can create an account and sign in with any of these methods:

  • Email and password
  • Discord OAuth
  • Google OAuth
  • Passkeys (WebAuthn, using your device biometrics or a security key)

All of these end up at the same account. If you first signed up with email and password, you can later link Discord, Google, or a passkey and use whichever is convenient. A passkey is the fastest option once it is set up, since there is no password to type or 2FA prompt to clear.

Two-factor authentication

TOTP-based 2FA is optional but recommended for any account that can change a running server. Enable it under your account settings. You scan a QR code into an authenticator app (Authy, Google Authenticator, 1Password, or similar) and confirm one code to turn it on.

When you enable 2FA you are shown a set of one-time backup codes. Save them somewhere you can reach without your phone, for example a password manager.

Note: Backup codes are shown once and never again. If you lose your authenticator device and have no backup codes, you cannot get past the 2FA prompt yourself and will need account recovery. Store the codes before you close that screen.

Sessions

Once you sign in, your session lives in an httpOnly cookie. Your browser sends it automatically and client-side JavaScript cannot read it, which keeps the token out of reach of page scripts. Signing out clears the cookie. If you suspect a session is compromised, sign out and rotate any linked OAuth grants from the provider side.

Per-server roles

Being in your team is not the same as being able to change every server. Each server has its own member list with a role per member, and the role gates what that person can touch: viewing live monitoring, running console commands, editing config and files, triggering backups, and performing rollbacks. A member with a read-only role on one server can still have full control on another.

Every action that changes a server is written to that server's audit log, so you can see who restarted, who edited a file, and who rolled back. Per-server roles and the audit log are part of the Pro plan.

Rate limiting

Auth endpoints (login, password attempts, 2FA verification) are rate limited. Repeated failed attempts get throttled, which slows down credential-stuffing and brute-force attempts against your account. If you trip the limit during a legitimate login, wait a moment and try again rather than retrying in a tight loop.

← PreviousPanel keysNext →Data handling
Still stuck? Ask in Discord or contact the team.