Documentation
Your account/Account/Security
Account

Security

Sign-in methods, sessions, passkeys, two-factor auth, suspicious-activity alerts.

Reverie supports multiple sign-in methods per account and gives you tools to audit access. Most users should add at least two sign-in methods (one social + email, or passkey + email) so a single provider going down doesn't lock you out.

Source: Security & transparency report →

Sign-in methods

Settings → Security → Sign-in methods.

Supported:

  • Email + password
  • Google (OAuth)
  • Discord (OAuth)
  • Magic link (email one-time sign-in)

Add or remove methods at any time. The only restriction: your account always needs at least one method active.

Passwords

If you use a password:

  • Minimum 8 characters
  • Hashed at rest — we never see your plaintext password
  • Change anytime under Settings → Security → Change password

We strongly recommend using a password manager.

Two-factor authentication (TOTP)

For email/password accounts:

Settings → Security → Two-factor authentication → Enable. Scan the QR code with any authenticator app (1Password, Authy, Google Authenticator, etc.). Save the backup codes somewhere safe.

After enable, sign-in requires your password + a 6-digit code.

OAuth sign-ins skip TOTP (the underlying provider already enforces multi-factor on its side).

Active sessions

Settings → Security → Active sessions.

Shows every active session: device, browser, IP location, last activity. Revoke any session with one tap — that device gets signed out immediately.

Use this if you signed in on someone else's device and forgot to sign out, or if you suspect an unauthorized access.

Suspicious activity

Reverie sends an email to your registered address when:

  • A new device signs in
  • A sign-in happens from a new country
  • A password / TOTP / passkey is changed
  • A withdrawal is requested

If you didn't take the action, follow the "This wasn't me" link in the email — that revokes the session, locks the account, and lets you reset credentials.

Account recovery

If you've lost access:

  • Email + password lost? Use the "Forgot password" flow on the sign-in screen.
  • Authenticator device lost? Use the backup codes you saved when enabling TOTP.
  • All sign-in methods lost? Contact [email protected] with as much account info as you remember. Recovery is manual and may take a few days.

Bug bounty

Security researchers: we run a continuous responsible-disclosure program at [email protected]. Critical findings have a bounty range; see the bounty policy on the marketing site for details.

What we log

For security and abuse prevention, we log:

  • Sign-in events (timestamp, IP, device fingerprint)
  • Withdrawal requests
  • API key usage (per-key, per-endpoint)
  • Failed sign-in attempts

We don't log:

  • Chat contents (those are encrypted at rest and only the model + you can read them)
  • Specific characters you chat with for non-billing purposes
  • Voice call audio (transcripts are stored as messages; audio isn't)

Previous

Profile & preferences

Next

API keys

On this page