Skip to main content
Bkmark gives you several layers of protection beyond a password: time-based one-time passwords (TOTP) via an authenticator app, hardware-backed passkeys, per-device session management, and scoped API keys for automation. Visit Settings → Security to access all of these controls.

Two-factor authentication (TOTP)

Enabling TOTP means that signing in requires both your password and a six-digit code from your authenticator app. Codes rotate every 30 seconds and can’t be reused.
1

Open the TOTP setup screen

Go to Settings → Security → Two-factor authentication and click Enable authenticator app.
2

Scan the QR code

Open your authenticator app — such as Authy or Google Authenticator — and scan the QR code shown on screen. If your app doesn’t have a camera option, tap Enter key manually and type in the text secret displayed below the QR code.
3

Enter the verification code

Your app will display a six-digit code. Type it into the Verification code field and click Verify. This confirms that your app is correctly synced before TOTP is activated.
4

Save your backup codes

After a successful verification, Bkmark generates 8 one-time backup codes. Copy them somewhere safe — a password manager works well. Each code can only be used once and lets you regain access if you lose your phone. You can regenerate a fresh set of codes at any time from the same security settings page.
To disable TOTP, go back to Settings → Security → Two-factor authentication, click Disable, and enter a current six-digit code to confirm.

Passkeys

Passkeys use your device’s biometrics (Face ID, Touch ID, Windows Hello) or a hardware security key to sign you in without a password. They are phishing-resistant and bound to Bkmark’s domain. To add a passkey, navigate to Settings → Security → Passkeys and click Add a passkey. Your browser or operating system will prompt you to authenticate — use your fingerprint, face scan, or hardware key. The passkey is registered and available for your next login. You can register multiple passkeys (for example, one on your laptop and one on your phone). Each passkey is listed with the device name and the date it was added. Click Remove next to any passkey you no longer want.

Active sessions

Every time you sign in to Bkmark from a browser or device, a session is created. The Active sessions panel under Settings → Security shows all of your current sessions, including the browser user-agent, IP address, and the last time each one was active. Your current session is labelled This device. To sign out of a specific device, click Revoke next to that session. To sign out of all other devices at once — for example, after losing a laptop — click Revoke all other sessions. Only your current session is preserved.

API keys

API keys let you access your Bkmark data from scripts, automations, or third-party tools without sharing your password.

Creating an API key

  1. Go to Settings → Security → API keys and click New API key.
  2. Give the key a descriptive Name (for example, Home automation or Raycast extension).
  3. Select the Scopes the key should have access to (see the table below).
  4. Optionally set an Expiration date. Keys without an expiration never expire automatically.
  5. Click Create. The full key is shown exactly once — copy it now and store it somewhere secure. After you close the dialog, only the key’s prefix is visible.
API keys have the prefix bk_ followed by a random string (for example, bk_3f9a1c2d…). Bkmark never stores the raw key, so it cannot be recovered if lost. If you lose a key, revoke it and create a new one.

Available scopes

ScopeAccess granted
bookmarks:readRead your bookmarks and their metadata
bookmarks:writeCreate, update, and delete bookmarks
tags:readRead your tags
tags:writeCreate, update, and delete tags
groups:readRead your groups
groups:writeCreate, update, and delete groups
search:readRun full-text searches
Grant only the scopes that the integration actually needs.

Using an API key

Pass the key as a Bearer token in the Authorization header: 
curl https://api.bkmark.it/api/v1/bookmarks \
  -H "Authorization: Bearer bk_your_key_here"

Updating or revoking an API key

You can rename a key or change its scopes at any time by clicking Edit next to it in the list. To permanently revoke a key, click Revoke — the key stops working immediately.
Once a key passes its expiration date it is automatically rejected on every request. Any automation relying on it will receive a 401 Unauthorized response. You’ll need to create a new key and update your integration with the new value.
No. API keys only work with the REST API. Signing in to the Bkmark web app always requires your password, a connected social account, or a passkey.
The number of API keys available depends on your plan. Check your current plan limits under Settings → Billing.
Yes. Bkmark never stores your raw API key — only an irreversible fingerprint used to verify it. Only you see the raw key, and only at the moment it’s created. Even Bkmark staff cannot retrieve a key once the creation dialog is closed.