Sign-in history

Every sign-in to your account is logged with the time, IP, and (optionally) approximate region. Reviewing this log periodically is the cheapest way to catch unauthorized access.

Where to find it

Settings → Security → Sign-in history.

Each row shows:

• When — timestamp in your local time zone.
• Method — wallet (and which one), email, or passkey.
• IP and region — the network address that sourced the sign-in, with country/region resolved if our environment has GeoIP enabled.
• Status — successful or failed (e.g., bad MFA code).

The list shows the most recent sign-ins, paginated.

What to look for

Sign-ins you didn't make. Common red flags:

• A region you've never been in.
• A successful sign-in followed by sensitive actions (linking a new wallet, changing email, increasing limits).
• Repeated failed attempts followed by a successful one.

What to do if something looks wrong

1. Lock down the account immediately. Sign out of all other sessions: Settings → Security → Sign out all devices.
2. Rotate any shared credentials. Change the linked email's password. Re-enroll MFA. Revoke and reissue any API keys.
3. Move funds if at all uncertain. Withdraw to a wallet you control (or another address you control if you signed in with an external wallet).
4. Email support. open a support ticket with the suspicious row(s) and approximate timing. We can investigate from the server side.

What sign-in history does NOT show

• Trades placed via API keys (those are in the audit log, not the sign-in log).
• Read-only requests (loading the home page, etc.).
• Background browser tabs reusing an already-authenticated session.

Privacy

We retain sign-in history per the data retention policy. You can request deletion of your account, after which the history is purged within the retention window. While the account is open, we can't delete individual rows on request — they're a security record.