Skip to main content
Orchard supports multiple authentication methods to keep your account secure while providing a seamless sign-in experience.

Authentication Methods

Email One-Time Password (OTP)

The simplest way to sign in is with your email address. Orchard sends you a 6-digit code that you enter to verify your identity.
1

Enter your email

On the sign-in page, enter your email address.
2

Check your inbox

You’ll receive an email with a 6-digit verification code.
3

Enter the code

Type the code into the verification field to complete sign-in.
OTP codes expire after a short time. If your code expires, request a new one.

Passkeys (WebAuthn)

Passkeys provide passwordless authentication using your device’s biometrics or security key. This is the most secure and convenient authentication method. Supported passkey types:
  • Face ID / Touch ID (Apple devices)
  • Windows Hello
  • Hardware security keys (YubiKey, etc.)
  • Android biometrics
1

Sign in to your account

Use email OTP or another method to access your account.
2

Go to Settings

Navigate to your user settings page.
3

Add a passkey

Click Add Passkey and follow your browser’s prompts to register your device.
4

Name your passkey

Give the passkey a friendly name (e.g., “MacBook Pro” or “YubiKey”) so you can identify it later.
1

Click 'Sign in with Passkey'

On the sign-in page, select the passkey option.
2

Authenticate

Your browser will prompt you to use your biometrics or security key.
3

Done

You’re signed in immediately after successful authentication.

Hack Club OAuth

If you have a Hack Club account, you can sign in directly using Hack Club OAuth. This automatically syncs your profile information.
1

Click 'Sign in with Hack Club'

On the sign-in page, click the Hack Club sign-in button.
2

Authorize Orchard

If prompted, authorize Orchard to access your Hack Club profile.
3

Done

You’ll be redirected back to Orchard and signed in.

Managing Your Sessions

When you sign in, Orchard creates a session that lasts for 7 days. You can sign out at any time from the user menu.

Security Features

Rate Limiting

To protect against brute force attacks, Orchard limits the number of authentication attempts:
  • OTP requests are rate-limited per email address
  • Passkey attempts are rate-limited per IP address
  • After too many failed attempts, you’ll need to wait before trying again

Secure Cookies

Session tokens are stored in secure, HTTP-only cookies that can’t be accessed by JavaScript. This protects against cross-site scripting (XSS) attacks.

Managing Passkeys

You can manage your registered passkeys from your user settings:
  • View passkeys: See all registered passkeys with their names and last used dates
  • Remove passkeys: Delete passkeys you no longer use
  • Add new passkeys: Register additional devices for backup access
Always keep at least one authentication method available. If you remove all passkeys and lose access to your email, you won’t be able to recover your account.