Enable 2FA (TOTP)
Settings → Security → Two-factor authentication. Scan the QR with Authy, 1Password, or Google Authenticator. Save the recovery codes offline.
Trust your devices
Mark frequently used devices as trusted to skip OTP on every login. Untrusted devices always require OTP.
Scope your API keys
Settings → API keys → Create. Grant the minimum scope needed (invoices:read, invoices:write, etc.). Rotate quarterly.