D
DramWell Docs
Knowledge Base/account/security settings

Security Settings

Configure two-factor authentication, manage active sessions, create and rotate API keys, and review the audit log for your DramWell organization.

beginner7 min read

Overview

DramWell provides several security controls to protect your organization's data. Owners and Admins can manage these settings from Settings > Security.

Two-Factor Authentication (2FA)

Two-factor authentication adds a second verification step at login beyond your password. DramWell supports TOTP authenticator apps (Google Authenticator, Authy, 1Password, and compatible apps).

Enabling 2FA for your account

  1. Go to Settings > Security > Two-Factor Authentication.
  2. Click Enable 2FA.
  3. Scan the QR code with your authenticator app.
  4. Enter the 6-digit code displayed in the app to confirm setup.
  5. Save your recovery codes in a secure location — these are the only way to recover access if you lose your authenticator device.

Requiring 2FA for all users

Owners can enforce 2FA org-wide:

  1. Go to Settings > Security > Policies.
  2. Enable Require 2FA for all users.
  3. Click Save.

Users who do not have 2FA configured will be prompted to enable it on their next login and will not be able to access the platform until they complete setup.

Session Management

Active sessions represent devices and browsers where your account is currently logged in. You can review and revoke sessions from Settings > Security > Active Sessions.

Each session entry shows:

  • Browser and operating system
  • IP address and approximate location
  • Last active timestamp

To revoke a session, click Revoke next to it. The session is invalidated immediately and the user is logged out on that device. To revoke all sessions except your current one, click Revoke All Other Sessions.

API Key Management

API keys allow server-to-server integrations to authenticate with the DramWell API without a user session. Only Owners and Admins can manage API keys.

Creating an API key

  1. Go to Settings > Security > API Keys.
  2. Click Create API Key.
  3. Give the key a descriptive label (e.g., zapier-integration, nightly-sync).
  4. Select the environment: Live or Test.
  5. Click Generate.
  6. Copy the key immediately — it is only displayed once.

Rotating an API key

To rotate a key without downtime:

  1. Create a new key.
  2. Update your integration to use the new key.
  3. Verify the integration is working correctly.
  4. Revoke the old key.

Revoking an API key

Click Revoke next to any key. Revocation is immediate — any in-flight requests using that key will fail with a 401 error.

Audit Log

The audit log records security-relevant actions taken by users in your organization. It is retained for 12 months and is accessible to Owners and Admins only.

Go to Settings > Security > Audit Log to view the log. Each entry includes:

Field Description
Timestamp When the action occurred
User Who performed the action
Action What was done (e.g., user.invited, api_key.created, invoice.deleted)
Resource The affected resource and its ID
IP address The IP from which the action was performed

The log can be filtered by date range, user, or action type. You can also export it as a CSV for compliance or incident response purposes.

Password Policy

DramWell enforces a minimum password length of 12 characters. Owners can optionally enforce stronger policies from Settings > Security > Policies:

  • Minimum length (up to 32 characters)
  • Require mixed case, numbers, and special characters
  • Password expiration period (30, 60, or 90 days)

Related Articles

Was this article helpful?