Account settings
Your settings are split into a small number of pages reachable from the avatar menu.
Profile
Display name, bio, location, website, company, pronouns. Visible
on your profile page (/<username>). Markdown is not rendered
in the bio — it's plain text with hyperlinks auto-linked.
Emails
You can have multiple email addresses on one account. One is primary (used for notifications and as the default committer match), the others are secondary (still match commits authored with that email).
Each email is independently verified — until you click the link sent to it, that address can't be used as primary.
Password
Change with the current password. Successful change invalidates every session except the current one (the session-epoch mechanism). Other devices will be signed out.
Two-factor authentication
See TOTP & recovery codes. Strongly recommended.
Sessions
Lists every active session with device + last-used time. "Sign out everywhere" bumps your session epoch — every other session is killed instantly. Use this if you suspect an unauthorized sign-in.
SSH and GPG keys
- SSH keys authenticate
git@shithub.sh:...operations. - GPG keys verify signed commits — when a commit's signature matches a registered GPG key, the commit shows a "Verified" badge in history.
Each key shows last-used timestamp; rotate when devices are lost.
Personal access tokens
See PATs.
Notifications
See Notifications.
Audit log
Settings → Audit log lists security-relevant actions on your account: sign-ins, password changes, 2FA toggles, key add/remove, PAT create/revoke, suspension events. Each row carries the IP and user-agent at the time. Export as JSON if you need to share with an operator during incident response.
Delete account
The bottom of Settings → Account has a delete button. It requires typing your username for confirmation. Deletion:
- Marks the account for soft-delete with a 30-day grace.
- Hides your repos, issues, comments, and PRs immediately.
- Frees the username after grace; until then, the username is reserved.
Within the grace period, signing in restores the account fully.
After grace, the deletion is final; comments and issues you
authored are reattributed to a ghost user.
View source
| 1 | # Account settings |
| 2 | |
| 3 | Your settings are split into a small number of pages reachable |
| 4 | from the avatar menu. |
| 5 | |
| 6 | ## Profile |
| 7 | |
| 8 | Display name, bio, location, website, company, pronouns. Visible |
| 9 | on your profile page (`/<username>`). Markdown is **not** rendered |
| 10 | in the bio — it's plain text with hyperlinks auto-linked. |
| 11 | |
| 12 | ## Emails |
| 13 | |
| 14 | You can have multiple email addresses on one account. One is |
| 15 | **primary** (used for notifications and as the default committer |
| 16 | match), the others are secondary (still match commits authored |
| 17 | with that email). |
| 18 | |
| 19 | Each email is independently verified — until you click the link |
| 20 | sent to it, that address can't be used as primary. |
| 21 | |
| 22 | ## Password |
| 23 | |
| 24 | Change with the current password. Successful change invalidates |
| 25 | **every** session except the current one (the session-epoch |
| 26 | mechanism). Other devices will be signed out. |
| 27 | |
| 28 | ## Two-factor authentication |
| 29 | |
| 30 | See [TOTP & recovery codes](./2fa.md). Strongly recommended. |
| 31 | |
| 32 | ## Sessions |
| 33 | |
| 34 | Lists every active session with device + last-used time. "Sign |
| 35 | out everywhere" bumps your session epoch — every other session is |
| 36 | killed instantly. Use this if you suspect an unauthorized sign-in. |
| 37 | |
| 38 | ## SSH and GPG keys |
| 39 | |
| 40 | - **SSH keys** authenticate `git@shithub.sh:...` operations. |
| 41 | - **GPG keys** verify signed commits — when a commit's signature |
| 42 | matches a registered GPG key, the commit shows a "Verified" |
| 43 | badge in history. |
| 44 | |
| 45 | Each key shows last-used timestamp; rotate when devices are lost. |
| 46 | |
| 47 | ## Personal access tokens |
| 48 | |
| 49 | See [PATs](./personal-access-tokens.md). |
| 50 | |
| 51 | ## Notifications |
| 52 | |
| 53 | See [Notifications](./notifications.md). |
| 54 | |
| 55 | ## Audit log |
| 56 | |
| 57 | Settings → Audit log lists security-relevant actions on your |
| 58 | account: sign-ins, password changes, 2FA toggles, key add/remove, |
| 59 | PAT create/revoke, suspension events. Each row carries the IP and |
| 60 | user-agent at the time. Export as JSON if you need to share with |
| 61 | an operator during incident response. |
| 62 | |
| 63 | ## Delete account |
| 64 | |
| 65 | The bottom of Settings → Account has a delete button. It requires |
| 66 | typing your username for confirmation. Deletion: |
| 67 | |
| 68 | - Marks the account for soft-delete with a 30-day grace. |
| 69 | - Hides your repos, issues, comments, and PRs immediately. |
| 70 | - Frees the username after grace; until then, the username is |
| 71 | reserved. |
| 72 | |
| 73 | Within the grace period, signing in restores the account fully. |
| 74 | After grace, the deletion is final; comments and issues you |
| 75 | authored are reattributed to a `ghost` user. |