9. Users
Per-tenant user management. Users are pre-created here (no self-signup in the MVP).
Adding a user
- Click "+ Add user".
- Fill in name + email.
- Pick a role (see chapter 2).
- Optionally restrict the user to specific organizational units (e.g. "Only the Ethiopia office").
- Save. The user receives an invite via magic-link email.
Inviting / re-inviting
Use the "Send invite" button on each row to send a fresh magic-link. Tokens expire after 15 minutes. The session cookie that's minted after a successful sign-in lasts:
- 8 hours when the user has no MFA enabled — short enough that a stolen laptop can't roam indefinitely.
- 30 days when the user has TOTP MFA enabled — comparable to GitHub / Linear / Notion. Two independent factors (email + TOTP) make the longer window acceptable, and it removes the daily "log in again" friction.
Every successful sign-in is also recorded with IP, country (Cloudflare-derived), and a short browser/OS label. When somebody signs in from an IP they haven't used in the last 30 days, togrant sends them a "new sign-in" email with the where + when + device, plus a link to the security page if it wasn't them. The notification skips the very first sign-in (no baseline to flag against).
Suspending
Toggle "Active". Suspended users keep their data but cannot log in. Use this instead of deleting — it preserves audit trail (notes, edits) attribution.
Two-factor authentication (TOTP)
Each user can enable two-factor on their own account from the shield icon in the top-right header (or Account → Security). The flow takes about a minute.
Recommended: Proton Pass (browser extension)
If your team uses Proton Pass — togrant.com's default password-manager recommendation for the Radical Fanatics stack — the setup and sign-in flow becomes nearly invisible:
- Install the Proton Pass browser extension (one-time, per device).
- Sign in to Proton Pass.
- On togrant.com, click Enable two-factor. A QR code appears.
- Click the Proton Pass icon that overlays the QR box (or open the extension popup) → Add to vault → Scan QR.
- Type the 6-digit code Proton Pass shows you back, click Activate two-factor.
From the next sign-in onward, Proton Pass autofills your email on /login, and after the magic-link click, autofills the current 6-digit TOTP code on the MFA challenge page. Zero typing. Same flow works on mobile via the Proton Pass app.
Alternative authenticators
The QR code is a standard TOTP enrollment URI, so it works with anything that does RFC 6238:
- 1Password, Bitwarden — same autofill experience as Proton Pass.
- Google Authenticator, Microsoft Authenticator, Authy, Aegis — phone-only apps; you type the 6 digits manually each sign-in.
If your scanner refuses the QR, try again with a steadier camera or check that the page isn't zoomed-out below 100%. The third fallback is the Manual entry table on the same page (secret key + Time-based · 30s · 6 digits · SHA1).
What happens at sign-in
- Enter email on
/login, click Send magic link. - Open the email, click the link (or it auto-opens if you stayed in the togrant tab).
- MFA challenge page: read the current 6-digit code from your authenticator (or let Proton Pass / 1Password autofill it), submit.
- You're in. Session lasts 30 days when MFA is on, 8 hours when off.
Security notes: the QR is rendered server-side as inline SVG by togrant.com — the TOTP secret never leaves the Worker, so no third-party QR API can see it. The two factors are email account possession (magic link) and TOTP secret possession (authenticator app). No password is involved or stored. If you lose your authenticator (new phone, factory reset), an Organization admin can disable two-factor on your account from the Users page so you can enroll again.