Skip to main content

Questions this guide answers

  • How does passwordless magic-link login work?
  • How do I enable and verify 2FA?
  • How many API keys can I create?
  • What happens when I revoke a key?
  • Can I disconnect Patreon anytime?
Verba supports passwordless email auth. Flow:
  1. Request a magic link with your email.
  2. Open the email and click the link.
  3. Verba verifies the token and signs you in.
Important behavior:
  • Magic links expire after 20 minutes.
  • You can request a resend.
  • Invalid/expired links must be requested again.

Two-factor authentication (2FA)

Setup

  • Open settings security section.
  • Generate QR/secret.
  • Confirm with a valid authenticator code.
  • Save backup codes.

Login verification

During protected login flows, Verba may require:
  • 6-digit authenticator token
  • Or 8-character backup code
Backup codes are one-time use and removed after successful verification.

Disable 2FA

  • Requires valid 2FA verification to disable.

API keys

Key format and limits

  • Keys use prefix: vka_
  • Active key limit: up to 3 keys

Key lifecycle

  • Create from Settings -> Security -> API Keys.
  • Full key value is shown once on creation.
  • Revoke any key instantly from dashboard.
  • Revoked keys stop authenticating immediately.

Authentication headers

Use one of:
  • Authorization: Bearer vka_...
  • x-api-key: vka_...
API keys are only shown in full once when you create them. Verba stores the verification form of API keys, not a reusable plaintext copy.

How Verba stores sensitive data

Verba applies extra protection to sensitive secrets before they are written to storage. Examples include:
  • 2FA secrets
  • 2FA backup codes
  • Connected-service access/refresh tokens
  • Bot/service tokens that must be reused later by the platform
This means raw database access alone should not expose those values in their original usable form.

Connected services

Patreon linking

  • Patreon can be linked from settings.
  • Tier/benefits sync with account profile.

Patreon disconnect guard

Disconnect may be blocked while an active Patreon subscription is still attached.

Abuse protection and temporary IP bans

Verba uses both edge-level and backend abuse protection to prevent request bursts, scraping loops, and automated flooding. If an IP repeatedly trips those protections, Verba can place it into a temporary ban ladder:
  • First backend abuse hit: about 30 minutes
  • Repeated edge escalation: about 24 hours
  • Repeated repeat offender promotion: up to 30 days
If you hit a temporary ban unexpectedly during normal use, stop rapid retries, wait for the window to expire, and contact support with:
  • Exact timestamp
  • Your public IP if known
  • The page or action you were using
  • A screenshot or error message

Profile asset uploads

From settings:
  • Avatar/banner image uploads are validated and moderated.
  • Keep files under dashboard limits (commonly 10MB for profile uploads).

Deleting your account

Account deletion removes your account data and associated records. Behavior includes cleanup for:
  • Verbs and related references
  • Group/DM associations
  • Messages and conversation records tied to deleted entities
Group ownership handling:
  • If other members exist, ownership can transfer.
  • If no replacement exists, owned groups may be removed.
Account deletion is destructive. Export or copy anything you need before confirming deletion.

Public API v1

Full endpoint docs for authentication, requests, streaming, and errors.

Troubleshooting

Fix login, 2FA, and API key issues quickly.