Safeguard.sh Documentation Center

Account Recovery & Keys

Reset or change your password, manage Guard SDK secret keys, and recover access when you're locked out of SSO.

Account Recovery & Keys

Password reset & change

  • Forgot password. POST /auth/api/v1/password/forgot with your account email. Safeguard emails a reset link; the token is valid for 24 hours. In the app, this is the "Forgot password?" link on the login screen.
  • Reset with token. POST /auth/api/v1/password/reset with the token from the email plus your new password. Password rules: minimum 8 characters, with at least one uppercase letter, one lowercase letter, one number, and one special character.
  • Change password (while signed in). POST /auth/api/v1/password/change with your current and new password. The same complexity rules apply.

Secret keys (Guard SDK)

Secret keys are self-service credentials the Guard SDK uses to pull live policy. They live under the base path /auth/api/v1/secret-keys.

  • Create. POST /auth/api/v1/secret-keys with a purpose. The plaintext key is returned only once, in the create response — Safeguard stores only a hash, so copy it immediately. If you lose it, revoke the key and create a new one.
  • List your keys. GET /auth/api/v1/secret-keys.
  • Revoke. POST /auth/api/v1/secret-keys/{id}/revoke disables the key so it stops working; you can create a replacement at any time.
  • Delete. DELETE /auth/api/v1/secret-keys/{id} removes it permanently.

These self-service secret keys are distinct from the user API keys and organization tokens covered in RBAC, Teams & Organizations — see that page for those credential types rather than duplicating them here.

Locked out of SSO / SSO provider down

  • You only have SSO and can't get in (the SSO provider is down, misconfigured, or an admin disabled SSO): use the "Request access" option on the login screen. This calls POST /auth/api/v1/sso/request-access and emails every Tenant Admin in your tenant that you've requested access, with a link for them to invite or link your account. So the first people who can help are your own tenant's Admins/Owners — they can re-enable SSO, invite you, or link your account.
  • If password login is still enabled for your tenant, use the password reset flow above as a fallback to get in without SSO.
  • If SSO is your only method and no admin is reachable (for example, the sole admin is themselves locked out): this needs Safeguard support — contact Safeguard support to arrange recovery.

For the admin-side emergency-access mechanism, see the Break-Glass section of RBAC, Teams & Organizations. For SSO setup, see SSO Authentication.

On this page