Improve this doc

Account management

Sign up

In order to use balena and deploy code to devices you will need a balena account.

If you don't already have an account head over to our signup page. You can sign up with a GitHub or Google account or via an email address. When you create your account, you will be asked to create a password for the account. Your password needs to be at least 8 characters long.

Password reset

If you forget your password, you may request to reset it via the password reset page. Enter the email address associated with your balenaCloud account. If the email address has an associated account, a password reset link will be sent to that address. Following the link, you will be able to enter a new password.

Add a password to social login

To add a password to an account created with a social login (Google, Github), navigate to the Preferences page found by clicking on your profile in the top right of the dashboard. Under the Account details tab you can set a password for your account.

Access tokens

Access tokens are used for authentication in the balena API, CLI, and Node.js and Python SDKs. They are managed in the Access tokens tab of the Preferences page, which can be found via the dropdown menu in the upper-right corner of the dashboard:

There are two types of access tokens: session tokens and API keys. Both authentication types provide user-level permissions, meaning any user or application with one of these tokens can make changes across devices, applications, and the user account.

Session tokens

Session tokens are retrieved from the Preferences page, and they can be refreshed with the API. These tokens expire after seven days, and they cannot be revoked.

API keys

API keys are named tokens that do not expire and can be revoked as needed. To create a new API key, make sure you are in the Access tokens tab of the Preferences page, then select Create API key:

Create API Key

You'll see a required field for Token name, as well as an optional field for Token description:

Name API Key

When you click Create token, you will see a dialog with the new API key:

API Key Warning

Warning: This is your only opportunity to see the key, so make sure to download or copy to a secure location!

After you close the dialog, you'll see your API key in the list, complete with name, date of creation, and description:

List API Keys

To revoke one or more API keys, select the boxes to the left of the tokens you wish to remove, then click Delete selected:

Delete API Key

API keys can also be generated using the API, CLI, and Node.js and Python SDKs.

Application members

When an application needs to be shared with more than one user, the application owner can add new members. With paid accounts, it's possible to assign a level of access for a new member, based on the following types:

Member types

Member Type Add members Delete App Add/Remove device Device actions Tags Dev Env Variables SSH access Push Fleet Env Variables Fleet actions
Administrator Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Developer No No Yes Yes Yes Yes Yes Yes Yes Yes
Operator No No Yes Yes Yes Yes Yes No No No
Observer No No No No No No No No No No


A new application in balenaCloud can only be created by an administrator of an organization. Administrators are the only users who can add other application members or delete the application. Learn more about the administrator role in an organization.


Observers are given read-only access to the application and its devices. They are not able to modify, add, or remove any devices, nor are they able to perform device actions. This role can only be assigned by application owners on paid plans.


Operators have all the access given to observers, plus the ability to manage an application's devices. This means operators can remove devices, perform device actions, and modify device tags, metadata, and environment variables. Operators also have full SSH access to the application's devices. This role can only be assigned by application owners on paid plans.


Developers are given, in addition to the access provided to operators, the ability to manage an application. This includes pushing new code, modifying fleet-wide environment variables, running application actions, and downloading application images. This role is the closest to an application owner—developers can do everything owners can except for deleting the application or adding new members. The Developer role can be assigned by application owners on free or paid accounts, and it is the only role available for Starter applications.

Add an application member

To add a new member to your application, click on the Members tab of the application summary page:

Members Tab

This brings up a list of all application members, if any have been assigned. Click on the Add member button in the top left:

Create Application Member

The Add application member dialog has a dropdown with descriptions of the member types, as well as information about which types are available based on your billing plan. Choose a level of access, then enter the username or email address of the new application member:

Add Application Member

Note: Application members must have already signed up for a balena account before they can be added to an application.

After you click Add, you will see the username of the new application member in the list. From here, you can edit access levels or remove the user if necessary:

List Application Members

All users that have been added to an application will see that application in their dashboard, with an indicator to designate it has been shared by the application owner:

Shared Application

In addition to the application actions permitted by the assigned member role, application members will have the option to remove themselves from an application. This is done by clicking the Actions tab from the application summary page, then clicking Remove Member Access:

Alternatively, members may remove themselves from an application by clicking on the delete (trash can) icon on the Members tab.

Remove Application Member Alternative

Warning: If you remove your member access to an application, you will not be able to undo the action. Only the application owner will be able to restore your access.

Two-factor Authentication

We offer the option to enable Two-factor Authentication - this is a feature that prompts you to input a code from your smartphone/computer in addition to your password, providing an additional layer of security for your account.

Note: We use the industry standard Time-based One-time Password Algorithm to implement this functionality.

Enabling Two-factor Authentication

Sign up for an account (or log in if you already have one) and go to your preferences page. From here, click on the Two-factor Authentication tab then click Enable two-factor authentication to enable:

Enable two-factor authentication

Next, you will be shown a QR code and prompted for a pairing code as shown below:

Note: Two-factor authentication will only be enabled once you have finished configuring it against your smartphone/computer, so no need to worry about logging out before finishing the configuration then not having access to your account!

Two-factor authentication pairing

In order to use your phone/computer as your added layer of security you will need to download a free authenticator application. There are many available, but one that works well and has been successfully tested against balena is Google Authenticator - download it for Android or iOS.

Once installed, navigate to the barcode scanner:

Note: The Android application is shown here - if you already have accounts installed, tap the 3 vertical dots in the top right-hand corner and select 'Set up account', otherwise you should be given the option when you first start the app.

Google Authenticator Scan Barcode Menu

When you tap the option to scan a barcode your phone will turn on your camera and all you need to do to pair with your account is to simply point it at the QR code displayed on your monitor.

Once configured, you'll see a 6 digit generated code with a graphic beside it indicating a countdown. Once the countdown expires, the code becomes invalid:

Google Authenticator Codes

Next, you'll need to input the displayed code into the 'Pairing code' input on the preferences page. If successful, you will be shown recovery codes that may be used in the event that you cannot access your two-factor authentication application. These codes should be downloaded and stored in a safe place.

Two-factor authentication recovery codes

Once you've downloaded your recovery codes and clicked OK, the next time you log in, you will be prompted for the code displayed in your authenticator app after you've input your username and password. Enjoy your added layer of security!

To disable two-factor authentication, visit the Two-factor Authentication tab of the Account Preference and click Disable two-factor authentication. You will be prompted for your account password before it is disabled.

Two-factor authentication recovery codes

List of verified authenticator applications

Delete account

If you wish to delete your balenaCloud account, go to your Preferences page, and under the Account Details tab, select the Delete Account button. You will need to confirm this action by entering your password. If your account does not have a password, you will be prompted to set one in your account preferences. Upon confirmation, the account will be permanently deleted, including all applications and devices. If you would also like to request deletion of your data in accordance with GDPR, please refer to the instructions in our privacy policy.

Delete balena Account