Security

Rheopay includes several security features to protect your account and the payment data it handles.

Two-factor authentication (2FA)

Two-factor authentication adds a second verification step at login, making it significantly harder for anyone to access your account with a stolen password.

Enabling 2FA

1. Go to Settings → Security.
2. Click Enable Two-Factor Authentication.
3. From this point, after entering your password at login you will receive a one-time code by email.
4. Enter the code to complete the login.

Disabling 2FA

Go to Settings → Security and click Disable Two-Factor Authentication. You will be asked to confirm with your current password.

Password management

Changing your password

Go to Settings → Security → Change Password. You must enter your current password and confirm the new one.

Passwords must be at least 8 characters. Use a mix of letters, numbers, and symbols.

Resetting a forgotten password

On the login screen click Forgot password and enter your email. A reset link is sent to that address. The link is valid for 1 hour.

Active sessions

Go to Settings → Security → Sessions to see all currently active login sessions for your account, including:

• Device and browser information
• IP address
• Last activity time
• Location (approximate, based on IP)

Ending a session

Click Revoke next to any session to force that session to log out immediately. This is useful if you suspect unauthorized access or if you left a session open on a shared device.

Ending all other sessions

Click Revoke all other sessions to log out every session except the one you are currently using.

Activity log

The activity log records every action taken within your account with a timestamp, the user who performed it, and the originating IP address.

Go to Settings → Activity Log to browse the log.

Logged events include

• Login and logout events
• Failed login attempts
• Payment link creation, activation, deactivation, and deletion
• Transaction refunds
• Team member invitations and role changes
• Settings changes (payment providers, webhooks, email templates)
• API key creation and revocation

Fraud detection

Rheopay automatically monitors for unusual activity patterns and raises a fraud flag when a pattern is detected. Flags are visible to Owners and Admins and to platform Admins.

Fraud flag types

Resolving a fraud flag

When a flag is raised, review the associated links and transactions. If the activity is legitimate, click Mark as resolved on the flag. If you believe the flag indicates actual fraud, contact support.

Role-based access control

Access to sensitive areas of Rheopay is restricted by role. Payment provider credentials, API keys, webhooks, and billing are only accessible to Owners and Admins. See Team Management for the full permissions matrix.

API key security

• API keys grant full merchant-level API access. Treat them like passwords.
• Rotate keys regularly — create a new key, update your integrations, then revoke the old key.
• Revoke keys immediately if you suspect they have been exposed.
• Never include API keys in client-side code, browser extensions, or public repositories.

See Webhooks & API for details on creating and revoking API keys.

Data retention and deletion

• Customer personal data can be deleted on request from the Customer detail page. This replaces the name and email with anonymized values while keeping transaction records intact for accounting.
• Transaction records are retained indefinitely for accounting and compliance purposes.
• Audit log entries are retained per your plan's log retention policy.

Related pages

• Team Management — roles and permissions.
• Webhooks & API — API key management.
• Admin Guide — platform-level fraud and user management.