Skip to main content

Logging in and first-time setup

The dashboard at dashboard.drukverify.com has three entry-points: signing in as an existing user, accepting an invite as a new teammate, and the initial-admin setup flow when a tenant is first provisioned.

Returning users — sign in

  1. Open dashboard.drukverify.com, enter your email, hit Continue.
  2. Enter your password.
  3. Enter your 6-digit TOTP code from your authenticator app (Google Authenticator, 1Password, Authy, etc.). If you've lost access to your authenticator, click Use a backup code instead — each backup code is single-use.

On success the dashboard mints a dv_dash session cookie and redirects to /. Sessions expire after a fixed window; you'll be sent back to /login automatically.

First-time setup (initial admin)

When your tenant is first provisioned, ops sends you a one-time setup link of the form dashboard.drukverify.com/setup?token=<setup-token>. The token is single-use and time-bound (typically 24 hours).

  1. Open the link. The page validates the token and shows the email address it's bound to.
  2. Choose a password (rules enforced by the page — minimum length, mixed characters).
  3. Confirm the password and submit.
  4. You're redirected to /setup/totp?user=<id> to enroll your TOTP factor:
    • Scan the QR code with your authenticator app, or
    • Tap the manual-entry secret and paste it into your app.
  5. Enter a 6-digit code to verify the binding worked.
  6. Save the 8 backup codes shown — they're shown exactly once. Each is single-use and lets you log in if you lose access to your authenticator. Store them somewhere safe (password manager, sealed envelope, etc.).

Once TOTP is bound and a backup-code set is acknowledged, the dashboard mints your first dv_dash cookie and lands you on /.

Accepting an invite (teammate flow)

If an existing admin invites you, you'll receive an email with a link of the form dashboard.drukverify.com/setup?invite=<invite-token>. The flow is identical to the initial-admin setup above except:

  • The page shows the tenant name you're joining (not "creating") in the header.
  • The role assigned by the inviting admin (admin / developer / viewer) is fixed; you don't pick it.

Invite tokens expire in 7 days. If yours has expired, ask the inviting admin to re-send from the Team page.

Lost authenticator + backup codes gone

Contact ops@drukverify.com from the email address tied to your dashboard user. Ops will reset the TOTP binding after out-of-band identity verification. You'll then re-enroll TOTP and receive a fresh backup-code set.

Session lifecycle

  • dv_dash is a short-lived HTTP-only signed cookie. Don't try to read its value from JavaScript — there's nothing useful there.
  • A given user can be signed in from multiple devices simultaneously.
  • Signing out clears the cookie on the current device only. To revoke all sessions for a user (e.g. a departed teammate), have an admin remove them from the Team page — that invalidates every active session for that user.