Account Security: OAuth, Sessions, and Best Practices
How Serpverse account security works with Google and Microsoft OAuth. Covers session management, provider locking, and protecting your sign-in accounts.
Account Security
How Serpverse Account Security Works
Serpverse account security starts with a deliberate design choice: the platform does not store passwords. Every account authenticates through Google OAuth, Microsoft OAuth, or Email Magic Links, which means your security depends on the strength of your Google or Microsoft account (or email inbox) rather than a separate set of credentials.
This guide explains how authentication works, what happens with your sessions, how provider linking works, and what to do if something goes wrong.
Authentication Through OAuth
When you sign in to Serpverse, you are redirected to either Google or Microsoft to verify your identity. Serpverse never sees or stores your password. Instead, the OAuth provider confirms that you are who you claim to be and sends back a token that grants access to your Serpverse account.
What Serpverse receives from your OAuth provider:
- Your email address
- Your full name (kept private — visible only to you and admins; the other party in an order only ever sees your display name)
- A unique provider ID (used to link your OAuth identity to your Serpverse account)
What Serpverse does not receive:
- Your password
- Your contacts, calendar, or other account data
- Access to your email inbox or files
Multiple Sign-In Providers and Account Linking
Serpverse supports three sign-in methods: Google OAuth, Microsoft OAuth, and Email Magic Links. When you first create your account with one provider, you can later sign in with a different provider or magic link as long as the email address matches. The second provider is automatically linked to your existing account via verified email.
How account linking works:
- Your account is identified by your verified email address, not by a single provider
- If you sign up with Google and later sign in with Microsoft (or a magic link) using the same email, the new method links to your existing account
- The email address must be verified on both providers for linking to succeed
Practical implications:
- You can use whichever sign-in method is most convenient at the time
- All linked providers access the same account, balance, orders, and history
- If you have different email addresses across providers, they will create separate accounts
See the sign-in troubleshooting guide if you encounter issues during sign-in.
Session Management
After successful authentication, Serpverse creates a session that keeps you signed in. Here is how sessions work.
Session Duration
Sessions use JWT (JSON Web Token) authentication. Your session remains active as long as you interact with the platform regularly. Extended inactivity will eventually require re-authentication through your OAuth provider.
Session Contents
Your session token contains:
| Field | Purpose |
|---|---|
| User ID | Links the session to your account |
| Role | Buyer or Publisher -- determines dashboard access |
| Account status | Active, suspended, or banned |
| Display name | Shown in the UI and order communications |
Signing Out
You can sign out from any page using the account menu. Signing out invalidates your current session token. To access Serpverse again, you will need to complete the OAuth flow with your provider.
Signing out of Serpverse does not sign you out of Google or Microsoft. These are independent sessions.
What to Do If You Cannot Sign In
Most sign-in issues fall into predictable categories. Work through these in order:
1. Wrong OAuth Provider
The most common issue. If you see a role selection screen or a "complete your profile" prompt, you are authenticating with the wrong provider. Go back and try the other one.
2. Browser Cache or Cookie Issues
Stale session cookies can prevent successful authentication. Clear cookies specifically for serpverse.io in your browser settings, then try again.
3. Ad Blocker Interference
Privacy extensions and ad blockers can block the OAuth redirect flow. Temporarily disable them or add serpverse.io, accounts.google.com, and login.microsoftonline.com to your allowlist.
4. Corporate Network Restrictions
If you are on a corporate network, your IT department may block OAuth redirect URLs. Try signing in from a personal device or mobile data connection.
Securing Your OAuth Account
Because your Serpverse account security is only as strong as your underlying OAuth account, protecting that Google or Microsoft account is critical. A compromised OAuth account means a compromised Serpverse account.
Enable Two-Factor Authentication (2FA)
This is the single most effective security measure you can take.
Google:
- Go to Google Account Security(opens in new tab)
- Under "How you sign in to Google," enable 2-Step Verification
- Choose your verification method: authenticator app (recommended), security key, or phone prompts
Microsoft:
- Go to Microsoft Account Security(opens in new tab)
- Under "Additional security options," enable two-step verification
- Set up the Microsoft Authenticator app or an alternative method
Use a Strong, Unique Password on Your OAuth Account
Your Google or Microsoft password should be:
- At least 12 characters long
- Unique (not reused on any other service)
- Stored in a password manager rather than memorized or written down
Review Connected Applications
Periodically review which applications have access to your OAuth account:
- Google: Third-party apps with account access(opens in new tab)
- Microsoft: Apps and services(opens in new tab)
Revoke access for any applications you no longer use. While Serpverse needs to remain authorized, removing unused applications reduces your attack surface.
Monitor Sign-In Activity
Both Google and Microsoft provide sign-in activity logs. Check these periodically for unrecognized devices or locations:
- Google: Recent security activity(opens in new tab)
- Microsoft: Recent activity(opens in new tab)
If you see a sign-in you do not recognize, change your password immediately and review your Serpverse account for any unauthorized activity.
Account Roles and Permissions
During initial setup, you select a role — Buyer or Publisher — along with a display name. This role determines which features and dashboard sections you can access.
| Feature | Buyer | Publisher |
|---|---|---|
| Browse marketplace | Yes | No |
| Place orders | Yes | No |
| Deposit funds | Yes | No |
| List websites | No | Yes |
| Accept orders | No | Yes |
| Withdraw earnings | No | Yes |
| Order messaging | Yes | Yes |
| File disputes | Yes | Yes |
Your initial role is not permanent. You can switch between Buyer and Publisher at any time from your account settings. Review the getting started guide for details on the initial role selection process.
Account Suspension and Access
Serpverse may suspend accounts for policy violations. Suspended accounts have most functionality disabled, though you can still sign in and certain limited actions (such as completing in-progress orders) may remain available. If your account is suspended:
- You will receive an email explaining the reason and any steps required to resolve it
- Your data and order history remain intact during suspension
- Follow the instructions in the suspension notice to request reinstatement
- See the publisher rules for enforcement details
Security Checklist
Use this checklist to audit your account security:
- 2FA enabled on your Google or Microsoft account
- Strong, unique password on your OAuth account
- Unused third-party app permissions revoked
- Sign-in activity reviewed for unrecognized access
- Correct OAuth provider remembered for Serpverse sign-in
- Ad blockers configured to allow Serpverse and OAuth domains
Related Resources
- Can't Sign In? Troubleshooting Guide for login issues
- Getting Started with Serpverse for account setup
- What Is Serpverse for platform overview