If Account shows “unknown” or Tenant is empty, click Sync profile on a row (or select several and use Sync profile selected). New captures also resolve identity from the access token and Graph. Use Tokens to copy access/refresh tokens for external tools (e.g. other senders); optional password-locked JSON download for storage.

Each row is one generated user code. When sign-in completes, Authorized as shows the Microsoft account email. Token focuses that capture in the table above. Sessions refresh about every 12s while this tab is open.

Jinja templates live under landing-pages/templates/landing/. Variables: user_code, verification_uri, session_id, expires_in, slug, page_title. Use LANDING_SLUGS=* in .env to allow every *.html file. Set PUBLIC_BACKEND_URL for exported PHP.

Deploy & host

Pick a template above, set your public API base URL (the HTTPS origin where this FastAPI is reachable), then deploy to workers.dev or download files to host elsewhere. Cloudflare credentials (email, Global API Key, Account ID) come from Settings → Cloudflare Worker. Deploy uses the Workers REST API — no wrangler or Node.js needed.

Public API base URL (no trailing slash)

Change password

Updates the password required for this console. It is stored encrypted in the lab database when changed (overrides DASHBOARD_PASS from .env).

Two-factor authentication

Google Authenticator (TOTP): scan the QR code, then enter a 6-digit code to confirm. When enabled, you sign in with username, password, and a code; API access uses a session token instead of raw Basic auth.

—

Values saved here are stored in the lab database and override CLIENT_ID and SCOPE in .env when set. Scopes must match your Azure app registration API permissions. Mailbox features need Mail.Read in the scope string and admin/user consent. Tokens captured before you add Mail.Read keep their old consent — run a new device flow (or re-consent) after changing scope.

Scope (space-separated URIs + offline_access)

Landing pages: redirect after successful sign-in

When a device-code flow completes, the server can post a short Telegram message (token id, session id, account, tenant). Values saved here are stored in the lab database; they override TELEGRAM_* in .env when set. The bot token is encrypted at rest if TOKEN_ENCRYPTION_KEY is configured.

Optional defaults: TELEGRAM_BOT_TOKEN / TELEGRAM_CHAT_ID in .env · @BotFather for the token. Header chip Telegram shows “on” when both bot token and chat id are resolved (after save or reload).

Deploys a JavaScript Worker that proxies visitors to your backend landing page — no wrangler or Node.js required. Credentials are read from Settings; save your email, Global API Key, and Account ID below, then click Deploy. Use TRUST_X_FORWARDED_FOR=true on the API behind Cloudflare for accurate IP logging.

Published Worker URL

—

Used by the Domains Health Check feature to test whether a domain is flagged by Chrome, Edge, or Firefox via Google's Safe Browsing API. Without a key, only URLHaus (abuse.ch) is checked. Get a free API key at developers.google.com/safe-browsing — 1 million queries/day free.