• Whitelist → Allows access for the selected IP
• Blacklist → Blocks access for the selected features

Set Status

• Active → Rule is enforced
• Inactive → Rule is disabled

Select Access Scope

Choose where the rule will apply:

1. Login → Controls standard login (email/password)
2. Direct Login → Controls access via Direct Login URL
3. API → Controls programmatic access (API calls, webhooks, integrations)

How It Works:

Whitelist Rule:Grants access to the selected features from the specified IP.

Blacklist Rule:Blocks access to the selected features from the specified IP.

API Access Behavior:If no IP rules are applied to API access, requests are allowed by default.

Restrictions are enforced only when specific whitelist or blacklist rules are configured.

Example:

Suppose you configure the following:

• IP Address: 192.168.1.100.12
• Rule Type: Blacklist
• Status: Active
• Selected Features: Login, Direct Login, API

👉 Result:

• The user cannot log in from this IP using email/password
• The user cannot access the account via Direct Login URL
• Any API requests or integrations from this IP will be blocked

Reseller Capabilities:

• Define IP-based access rules only for client accounts
• Control login, direct login, and API access separately
• Enable or disable rules instantly using status toggle

Benefits:

• Restrict access to trusted IP addresses only
• Block suspicious or unauthorized sources
• Secure API and integration endpoints
• Enhance overall platform security with granular control
  
  

OTP Verification

Location: Settings & Integrations → Security → OTP Verification

Description:OTP (One-Time Password) Verification adds an extra layer of security during user signup by requiring users to verify their identity using a time-sensitive code sent via WhatsApp.This ensures that only users with access to the provided phone number can successfully complete registration.

Configuration Options:

• Force WhatsApp OTP Verification on Signup:When enabled, all new users must complete OTP verification during signup.
• Hide OTP Verification Message: Allows you to hide the OTP message from appearing in the chat interface (useful for cleaner user experience or custom flows).
• WhatsApp Bot Selection:Choose the WhatsApp bot that will send the OTP संदेश.
• Message Template:Select the approved WhatsApp template used to deliver the OTP code.
• Assign Label: Automatically assign a label to users who complete OTP verification.
• Assign Sequence:Add verified users to a follow-up sequence (e.g., onboarding or marketing automation).

Reseller Capabilities:

1. Enable or disable OTP verification for client accounts
2. Enforce OTP verification during signup
3. Configure WhatsApp-based OTP delivery system
4. Customize post-verification automation (labels & sequences)

Benefits:

• Prevents fake or spam account registrations
• Adds a strong verification layer using real phone numbers
• Improves lead quality and authenticity

Email Verification

Location: Settings & Integrations → Security → Email Verification

Description:Email Verification adds a verification step during user signup by requiring users to confirm their email address through a verification link or code.This ensures that the email provided during registration is valid and accessible by the user.

Configuration Options:

1. Force Email Verification on Signup:When enabled, all new users must verify their email address before completing registration.
2. Hide Email Verification Message:Allows you to hide the verification message from the user interface (useful for custom flows or cleaner UX).
   
   

Reseller Capabilities:

Benefits:

• Ensures users register with valid email addresses
• Reduces fake or low-quality signups
• Improves overall account authenticity
• Adds a basic layer of account security

Cloudflare Turnstile CAPTCHA

Location: Settings & Integrations → Security → Cloudflare Turnstile CAPTCHA

Description:Cloudflare Turnstile is a privacy-focused CAPTCHA alternative that protects your application from bots and automated abuse without requiring traditional user challenges.

It works silently in the background to verify whether a visitor is human, ensuring a smooth and uninterrupted user experience.

Configuration Options:

• Turnstile Site Key: Enter the Site Key generated from your Cloudflare Turnstile widget.
• Turnstile Secret Key: Enter the corresponding Secret Key.
• Enable Turnstile: Toggle to activate or deactivate Turnstile protection across your application.
• Hostname: Displays the domain associated with the Turnstile configuration.

Reseller Capabilities:

1. Configure Turnstile using Cloudflare-provided credentials (Site Key & Secret Key)
2. Enable or disable CAPTCHA protection for client accounts

Benefits:

• Blocks bots and automated submissions
• Provides a frictionless, challenge-free user experience
• Maintains user privacy without tracking or intrusive verification methods

Google reCAPTCHA

Location: Settings & Integrations → Security → Google reCAPTCHA

Description:Google reCAPTCHA (v3) is a score-based security system that analyzes user behavior to determine whether a request is made by a human or a bot.

Instead of showing challenges, it assigns a risk score to each interaction and blocks or allows access based on the defined threshold.

Configuration Overview:

To enable reCAPTCHA protection, you need to:

• Activate Google reCAPTCHA from the settings
• Connect your Google credentials (Site Key & Secret Key)
• Set a minimum score threshold to control how strict the bot detection should be

The configured domain ensures the keys are applied only to your authorized website.

Reseller Capabilities:

• Configure reCAPTCHA using Google-provided credentials (Site Key & Secret Key)
• Enable or disable protection for client accounts
• Adjust security sensitivity using the score threshold

Benefits:

• Provides invisible, frictionless bot protection (no user challenges)
• Uses behavioral analysis to detect suspicious activity
• Allows flexible control over security strictness via score threshold

Security Settings Available to End Users

1.IP Manager

Location: Settings & Integrations → Security → IP Manager

Description:

IP Manager allows users to control account access based on specific IP addresses. Users can allow or block access to login, Direct Login, and API usage from selected IPs.

End-User Capabilities:

Add and manage IP-based rules (Whitelist or Blacklist)

Control access for login, Direct Login, and API individually

Enable or disable rules as needed

Restrict account access to trusted networks or block suspicious IPs

2. Direct Login

Location: Settings & Integrations > Security > Direct Login

Description: Users can manage password-less login links for their own accounts.

Capabilities:

Enable or disable their own direct login access

Use the toggle to instantly block or allow link-based login

3. Login Activity

Location: Settings & Integrations > Security > Login Activity

Description: Users can monitor their own account access history.

Capabilities:

View successful logins, logouts, and failed login attempts

Check IP addresses, geographic location, device type, and browser

Detect unauthorized access attempts

4. Logged-in Devices

Location: Settings & Integrations > Security > Logged-in Devices

Description:

Users can view all devices currently logged into their account. This provides real-time visibility into active sessions, including device type, operating system, browser, IP address, location, and login times. Users can now log out from a specific device, immediately invalidating that session on the server to prevent unauthorized access.

End-User Capabilities:

• View all active sessions for their account
• Log out from any specific device to revoke access instantly
• Detect and respond to suspicious or unauthorized logins

Best Practices for Resellers

• Monitor Logged-in Devices regularly
  Check all active sessions for unusual devices, IPs, or locations. Log out any suspicious or unauthorized sessions immediately to prevent account compromise.

• Enable 2FA and OTP verification for all end users
  Require Multi-Factor Authentication to add a second layer of security. Force OTP verification on signup to protect accounts from automated attacks.

• Regularly review Login Activity
  Audit successful logins, logouts, and failed attempts. Detect anomalies such as unrecognized IP addresses, unusual login times, or repeated failed attempts.

• Use IP Manager to control access from trusted sources
  Whitelist trusted IPs (e.g., office or server IPs) to allow secure access, and blacklist suspicious or unknown IPs to block login, direct login, or API usage. This helps prevent unauthorized access and secures integrations.
  
  
• Use Direct Login sparingly and monitor usage carefully
  Ensure temporary access links are only provided when necessary. Disable or restrict Direct Login when not in use to reduce potential attack vectors.
  
  
• Deploy Cloudflare Turnstile or Google reCAPTCHA to protect forms from bots
  Apply CAPTCHA protection on login and signup pages to prevent automated attacks while maintaining a smooth user experience.

• Periodically audit all security settings
  Review all configured options, including 2FA, OTP, Email Verification, Direct Login, IP Manager, Login Activity, and Logged-in Devices. Ensure compliance with internal security policies and maintain proactive account protection.

READ MORE:

How to Enable Two-Factor Authentication (2FA) on BotSailor
Configure Google reCAPTCHA v3 in Your BotSailor Reseller Panel
Configure Cloudflare Turnstile CAPTCHA in Your BotSailor Reseller Panel