Account security best practices
If your Schedulin workspace is compromised, every connected social account is at risk. A few defaults make this much harder.
Use unique passwords
A password manager (1Password, Bitwarden) is the easiest way. Reusing a Schedulin password on another site means a breach there compromises your social channels.
Audit team members regularly
Once a month, open Settings → Team and confirm everyone listed should still have access. Contractors, ex-employees, and former agency partners often linger. See Removing a user.
Use the minimum role
A teammate who only needs to draft posts doesn't need Admin. The fewer Admins and Owners, the smaller the blast radius if any one account is compromised.
Rotate API keys
API keys (and MCP server keys) don't auto-expire. Rotate them annually or whenever someone with key access leaves. Old keys can be revoked instantly under Settings → Developer.
Watch the audit log
Settings → Workspace → Audit log records who did what. Skim it weekly — unexpected sign-ins from unfamiliar locations, unexpected role changes, or new channels you didn't add are all worth investigating.
What to do if compromised
- Change your Schedulin password and sign out all other sessions.
- Rotate any API keys.
- Audit recent activity in the audit log.
- For each connected social account, force-disconnect Schedulin from the network's own settings (Meta Business, X Connected Apps, etc.) and reconnect from a clean state.
- Email support — we can help review activity from our side.