QWTN
Sign up free

PIN Access & Security

How the 4-digit PIN system works, including lockouts, sessions, and revoking access.

PIN entry

When a client opens their unique portal link for the first time (or after their session expires), they see a PIN entry screen with four individual digit boxes. They enter the 4-digit PIN sent in their invitation email. The PIN can be typed digit by digit — focus advances automatically — or pasted directly into the first box.

How PINs are generated and stored

QWTN generates a random 4-digit PIN when you invite a client. The PIN is emailed to the client in plain text so they can log in, but is never stored in plain text on the server. It is hashed using scrypt with a random 16-byte salt before storage. Even database access does not reveal the original PIN.

Session management

After a successful PIN entry, a session token is issued and stored as a secure cookie named qwtn_portal_session. The session lasts 7 days. Clients do not need to re-enter their PIN until the session expires or they clear their browser cookies. The portal verifies the session cookie on every request.

Lockout protection

After 5 consecutive failed PIN attempts, the portal account is locked for 15 minutes. During lockout, the client sees a message explaining how long they must wait. The lockout counter resets after a successful login. This prevents brute-force PIN guessing.

Revoking access

You can permanently revoke a client's portal access from the Client Detail page using the Send / Manage Portal Access panel. Revocation invalidates the access token immediately — any open portal session will be rejected on the next page request. You can re-invite the same client at any time, which generates a new token and PIN.

Portal links do not expire automatically
Access tokens are set to a far-future expiry date (year 2099) and remain active until you explicitly revoke them. If a client's email address is compromised, revoke their portal access immediately from the Client Detail page.
PIN is sent once — keep it secure
The PIN is included in the invitation email. If a client loses their PIN you can revoke access and send a new invite, which will generate a fresh PIN. You cannot retrieve or display the existing PIN from within QWTN.
Advise clients to bookmark their portal link
The access token is embedded in the URL. If clients bookmark the link, they can return to the portal without needing the email. On mobile, they can also "Add to Home Screen" for an app-like experience.

Related Articles

Client Portal Overview
Give clients a secure self-service view of their waste records, notes, invoices, and upcoming collections.
Portal Dashboard
Navigate the client-facing portal tabs: Overview, Collections, Notes, Invoices, and Containers.
← Previous
Signing Notes via the Portal