Sign up and sign in
You need an account to save your work to the cloud and to use AI Studio. Designing without an account is not the normal path, cloud save and AI both expect you to be signed in.
Create an account
Sign up with an email and password, or with a Google or GitHub account. Signing up with email and password requires confirming your address before the account is fully active.
When your account is created, a personal workspace is set up for you automatically. Everything you make, your projects, media, brands, and tags, lives in that workspace.
Sign in
| Method | Detail |
|---|---|
| Email and password | The account you created |
| Google or GitHub | The same social account you signed up with |
| Forgot password | Use the reset link on the sign-in screen to set a new one |
Linking accounts after the fact is not available yet
You can sign in with Google or GitHub from the start, but adding one to an existing email-and-password account later is planned, not shipped. See the Roadmap.
Two-factor authentication
If you enable two-factor authentication, you enter a 6-digit code from an authenticator app after your password. Setup shows a manual entry key to add to any TOTP-compatible app, such as Google Authenticator or 1Password, there is no QR code to scan. A set of one-time backup codes is generated alongside it, save them somewhere safe in case you lose access to your authenticator app. Set this up, and manage sessions and an activity log, in Security and 2FA.
Staying signed in
A session stays active while you're using it, but it does not last forever. An idle session eventually expires and asks you to sign in again, and even an active one has an outer limit before it must be renewed, both are normal and are there so a device you forgot to sign out of does not stay open indefinitely. You can see and end any of your sessions early from Security and 2FA.
Keeping your account safe
The app protects your account in the background, on every sign-in attempt, not just when something looks wrong.
| Protection | What it does |
|---|---|
| Rate limiting | Blocks an account after repeated failed sign-in attempts |
| Breached-password check | Rejects passwords found in known public data breaches, on sign-up, reset, and password change |
| New-device alerts | Sends a notification and an email when a genuinely new device signs in |
| Session management | Lets you review every signed-in device and sign out any of them, individually or all at once |
Verify your email
Some features need a verified email before they work. If you signed up with email and password, look for the message sent to your inbox and enter the 6-digit code it contains to finish setup, it is a code you type in, not a link you click. You can request a new code from the sign-in screen if it does not arrive within a few minutes.
Step by step: creating an account and making your first design
- Open the sign-up screen and choose email and password, or continue with Google or GitHub.
- If you signed up with email and password, check your inbox for a 6-digit verification code and enter it when prompted. Social sign-up skips this step since the provider already verified your address.
- You land on your dashboard automatically, with a short onboarding checklist: make your first design, add a brand, upload media, set a profile photo, and turn on two-factor authentication. Work through it in any order, or dismiss it, it tracks your progress either way and disappears once you finish or dismiss it.
- Pick a format tile or template to make your first design, see Quick start for the rest of that flow.
Step by step: turning on two-factor authentication
- Open Security and 2FA from your account menu and confirm your password.
- You're shown a manual entry key rather than a QR code, add it to any TOTP-compatible authenticator app (Google Authenticator, 1Password, Authy, and similar all work) by choosing "enter a setup key" instead of "scan a code."
- A set of ten one-time backup codes is generated at the same time. Save them somewhere safe outside the authenticator app itself, each one lets you sign in exactly once if you lose access to your authenticator.
- Enter the 6-digit code your authenticator app is currently showing to confirm setup and turn 2FA on.
- From then on, every sign-in with email and password asks for a fresh 6-digit code after your password. Social sign-in through Google or GitHub is unaffected, since it does not go through the password step 2FA protects.
Regenerate backup codes if you run low
If you use up your backup codes, or think they may have leaked, generate a fresh set from Security and 2FA. The old set stops working the moment a new one is generated.
After you're in
Signing in drops you onto your dashboard, with a short onboarding checklist for a brand-new account: making your first design, adding a brand, uploading media, setting a profile photo, and turning on two-factor authentication. It tracks your progress and hides itself once you finish or dismiss it.
Common tasks
Reset a forgotten password. From the sign-in screen, use the reset link, enter your email, and follow the message that arrives to set a new password. If you have two-factor authentication on, you'll still be asked for a 6-digit code the next time you sign in with the new password.
Sign out a device you forgot to sign out. Open Security and 2FA and its Sessions list, every device currently signed in is listed there. End one session, or all of them at once, without needing physical access to that device.
Check whether a sign-in was really you. A new-device sign-in sends both an in-app notification and an email at the time it happens. If you don't recognize one, change your password immediately and review your session list.
Request a fresh verification code. If the original 6-digit email code expires or never arrives, go back to the sign-in or sign-up screen and request another one rather than trying to reuse the old code.
Troubleshooting
- The verification code never arrives. Check spam, and confirm you're checking the inbox for the address you actually typed. Codes expire after a short window, so request a new one rather than waiting on an old email.
- You're temporarily blocked after a few failed sign-in attempts. This is the account-level rate limit protecting against guessing attacks, it clears itself after a short cooldown. Repeated lockouts extend the cooldown each time, so wait rather than retrying rapidly.
- You lost your authenticator app and can't get a 2FA code. Use one of your saved backup codes to sign in, then immediately set up two-factor authentication again on a new device, since a backup code is used up the moment you sign in with it. Without a backup code and without the authenticator, you cannot bypass 2FA yourself, since there is no admin-side override for that from a self-serve account.
- A password you tried to set is rejected as unsafe. The app checks new and reset passwords against a database of previously breached passwords, not just length or character rules, choose a password you don't reuse anywhere else.
- You're signed out unexpectedly on a device you use daily. An idle session eventually times out, and even an actively used session has an outer lifetime before it must be renewed. Neither is a bug, sign in again, and consider enabling two-factor authentication if this device is shared with others.