Accounts & sign-in

CT Watch runs its own OAuth 2.1 authorization server, and this website is just a client of it. That has a few consequences worth understanding.

The site never sees your password

Sign-up, sign-in, and everything security-related happen on CT Watch’s hosted pages, not here. When you click Sign in, the site sends your browser to CT Watch’s /authorize, CT Watch authenticates you on its own login page, and you come back with an authorization code the site exchanges for tokens. The site only ever holds your session — never your credentials.

Two-factor

Two-factor is required — there’s no opt-out. On your first sign-in CT Watch asks you to add a second factor before you can finish signing in, so a password on its own can never reach your account. You choose between:

• TOTP — an authenticator-app code.
• Passkeys (WebAuthn) — a hardware or platform authenticator.

Afterwards, from Account & security (linked on your dashboard) you can add more factors and generate:

• Recovery codes — one-time backups if you lose the above.

MFA is enforced by CT Watch’s hosted pages, so it protects both the browser and the CLI sign-in.

Sessions

After sign-in, the site stores your CT Watch tokens server-side and gives your browser only an opaque, HttpOnly session cookie — the access and refresh tokens never reach the page. The session refreshes itself in the background and lasts up to seven days of inactivity. Sign out drops it immediately.

Account vs. tenant

Your account is your tenant: your watch rules, delivery targets, usage, and plan all hang off it. The same identity works in the browser and from the ctw CLI — sign in either way and you’re acting as the same tenant.

Plans

Every account starts on Free. Plans set how many watch rules you can have and how many webhook deliveries you get per day — see plans & limits and pricing. Account identity, password, billing, and your audit log are all managed on CT Watch’s hosted account pages; the dashboard links out to them.