Account Setup

1. Registration

BoxOwl is in private beta. Creating an account requires an invite token sent to your email.

1. Open the BoxOwl Android app and tap Register.
2. Fill in:
   • Email
   • First name and last name — optional; saved to your vault Identity so the rest of the app can address you by name and pre-fill forms
   • Password — minimum 12 characters
   • Confirm password
   • Invite token — paste it from your welcome email. The helper text under the field links to boxowl.me if you need one.
   • Organization — optional. If you enter one, you'll be asked to acknowledge that data will be shared with that organization per its privacy policy.
   • Secure my account with Two-Factor Authentication — optional checkbox; if ticked, MFA setup launches right after registration.
3. Tap Create Account.

A primary email is automatically added to your vault on registration, and your first/last name (if entered) are saved to vault Identity. You can verify the email from Settings > Email after sign-up.

You won't pick a handle at registration. The server auto-assigns one in the form user-XXXX; you can change it later (see "Change Email or Handle" below). Your handle is what shapes your public profile URL at boxowl.me/u/<handle> if you enable Public Views.

2. Two-Factor Authentication (MFA)

MFA adds a second factor (a 6-digit code from your phone) to every login. Set it up the first time you reach the home screen.

1. Go to Settings > Two-Factor Authentication.
2. Scan the QR code with an authenticator app — Google Authenticator, Authy, 1Password, or Bitwarden all work.
3. Enter the 6-digit code shown in your app to confirm enrollment.
4. Save your recovery codes. BoxOwl shows you 8 single-use codes immediately after enrollment. Print them or store them in a separate password manager. If you lose your phone and your recovery codes, support cannot restore access.

At the next login the app prompts you for a 6-digit code. If you've lost your authenticator, tap Lost your authenticator? Use a recovery code on the verify screen and enter one of the codes you saved.

3. App Lock + Biometric Unlock

App Lock requires a device-level authentication (fingerprint, Face Unlock, or PIN) every time you open BoxOwl. It's separate from MFA — MFA protects the server session, App Lock protects local access on the phone.

1. Right after your first login the app offers to enable App Lock. Tap Enable.
2. If you skipped that prompt, you can enable it later under Settings > App Lock.
3. If your device has a registered fingerprint or face, BoxOwl uses it automatically. Otherwise it falls back to the device PIN/pattern.

Vault unlock is separate again. Passwords, payment methods, and secure notes are end-to-end encrypted with a vault passphrase (or device passkey) that's independent of your account password. See Security Best Practices for the full layering.

4. Forgot Password

If you can't recall your account password:

1. On the login screen, tap Forgot password?.
2. Enter your registered email and tap Send reset link.
3. Open the email and click the reset link. It expires after one hour. The link opens a reset form where you set a new password.

Resetting your account password does not touch your vault passphrase — your end-to-end encrypted entries stay encrypted under the same key. If you've also forgotten your vault passphrase, use the 12-word BIP-39 recovery phrase you wrote down during vault setup.

5. Manage Active Sessions

BoxOwl tracks every device that's signed in to your account. From Settings > Sessions you can:

• See each device's name, IP address, and last-used time.
• Sign out a specific device.
• Sign out of all other devices in one tap. This is the right move if you suspect your account is compromised.

You'll get an email any time a new device signs in. If you see one you don't recognize, sign it out from Sessions and rotate your password.

6. Change Email or Handle

From Settings > Account:

• Email — Enter the new address and your current password. We send a confirmation link to the new address; the change only takes effect once you click it, so a typo can't lock you out.
• Handle — Change your auto-assigned user-XXXX to something memorable, or rename later. Once changed, the old handle enters a 30-day cool-off before anyone else can claim it.

7. Delete Your Account

Open Settings > Account > Delete Account. You'll be asked to re-enter your password. Confirming wipes your vault, signs out every session, and soft-deletes the user row. There's no recycle bin — this is permanent.

If you want a backup before deleting, use Settings > Export Data first. You can save the file unencrypted or AES-256-GCM-encrypted with a passphrase you choose.