Ankos
Ankos Ledger

Settings

Profile, organization, billing, categories, notifications, and password management.

Settings lives at /settings in Ankos Ledger, accessible from the user menu in the top right. Per-user options (profile, notifications, password) are visible to everyone; organization, billing, and categories are admin-only.

Profile

  • Email — your sign-in address. Shown read-only; changing your email requires re-verification via Cognito.
  • Name — how you appear to teammates, in invite emails you send, and in QSA share emails when you share a cycle. Update here instead of in Cognito directly so Ankos Ledger, emails, and the From header stay in sync.

Organization (admin only)

  • Company name — your organization's display name. Used on the cover PDF of every evidence export and on the QSA-facing share page when you share a cycle. Set this once before your first QSA hand-off; the assessor sees this exact string on the package they download.

Company name is admin-only because it's the customer-facing identity on every artifact that leaves the workspace. Other team members see it but can't change it.

Billing & Plan

Ankos uses Stripe for billing. The card shows your current plan and status:

  • Trialing — you're inside the 60-day free trial. Trial countdown ("N days left") shown alongside. Upgrade any time from this card.
  • Active — paid subscription, renewal date displayed.
  • Past due — your last payment failed; the workspace drops to read-only mode (view + export, no uploads or sign-offs) until you update your card.
  • Canceled — subscription is canceled. Workspace is read-only; you can re-subscribe from the same card at any time.

Admin-only actions on this card:

  • Upgrade (or Re-subscribe) — opens Stripe Checkout in a new tab.
  • Manage billing — opens the Stripe Customer Portal where you can update your payment method, billing email, tax ID, or download past invoices.

Read-only mode is intentional, not a punishment. You always keep access to your historical ledger data and can still export packages — only changes (uploads, sign-offs, owner edits) are gated. This means a forgotten card never erases your evidence history.

Categories (admin only)

The Settings page surfaces a Manage categories link to the dedicated categories editor at /categories. The baseline categories cover most PCI DSS assessments out of the box; from the editor admins can:

  • Rename a baseline category to match the customer's internal vocabulary
  • Reorder baseline categories
  • Hide a baseline category that doesn't apply to the customer's scope
  • Add a custom category (e.g. a company-specific compensating control)

Custom categories merge with the baseline so every entry still maps to a category. Changes apply across every cycle in the workspace.

Email Notifications

Two notification types are user-toggleable. Mute either independently without affecting in-app indicators (badges and counts still appear when you sign in).

  • Assignment emails — when another team member assigns one or more entries to you, you get a digest email listing what's newly yours.
  • Weekly digest — a Monday summary of the current cycle: readiness %, what moved, what still needs attention.

Other transactional emails (team invites, password-changed notices, QSA share confirmations, billing receipts) are not toggleable — they cover security or audit-trail events that should always be delivered.

Two-Factor Authentication

Add a TOTP-based second factor to your sign-in. After enabling, you'll need both your password and a 6-digit code from an authenticator app (1Password, Authy, Google Authenticator, etc.) to sign in.

Enabling

  1. Click Enable two-factor. Ankos shows a QR code and the underlying secret.
  2. Scan the QR with your authenticator app, or paste the secret in manually.
  3. Enter the 6-digit code your app generates to confirm.

Once verified, every future sign-in prompts for a code after your password.

Back up the secret. Save it in your password manager when you enable. If you lose your authenticator and don't have the secret saved, the only recovery path is contacting Ankos support to disable two-factor on your account — an admin can't reset it for you.

Disabling

From the Two-Factor section, click Turn off two-factor and confirm. Subsequent sign-ins will use password only.

Why TOTP only

Ankos deliberately doesn't support SMS as a second factor. SMS is vulnerable to SIM-swap attacks and carries per-message cost; TOTP is free, more secure, and works offline.

Change Password

Update your sign-in password without leaving Ankos Ledger:

  • Current password — your existing password, required by Cognito.
  • New password — minimum 8 characters; Cognito enforces complexity rules on top of that.
  • Confirm new password — must match.

After a successful change, Ankos sends a confirmation email so an unexpected change ("I didn't do that") is detectable. Sign-in sessions on other devices continue to work until they expire — sign out manually elsewhere if you want to force a re-auth.

Forgot your current password? Use Forgot password? on the sign-in page instead. It triggers a Cognito reset code over email and lets you pick a new password without needing the old one.

API keys

API keys live on their own page at /api-keys (linked from the user menu). They authenticate the Ankos CLI so it can upload scan results into your workspace's ledger.

  • Create a key — give it a label (e.g. "CI/CD", "laptop", "prod pipeline"). The key is shown once; copy it into your password manager or CI secret store.
  • Revoke a key — immediately invalidates it. Any CLI session using that key will fail on the next upload.
  • Last used — visible on the key list so you can spot unused keys.

Keys inherit the role of the user who created them. An editor's key can do what an editor can do; an admin's key can do what an admin can do.

API keys grant full CLI-level access as your user. Treat them like passwords. Prefer per-environment keys (one for CI, one for your laptop) over a single shared key.

Next steps

Team and roles

Who can see and change what in settings.

Share with QSA

Where your company name shows up on the QSA-facing surface.

CLI reference

What API keys unlock on the CLI side.

Data Portability

Your assessment is always yours. Export a complete, self-serve copy of an entire cycle — every entry, file, comment, history, and the audit trail — in open formats, with no support ticket and no proprietary lock-in.

CLI Reference

All Ankos CLI commands, flags, and behaviors — for engineers who want to drive the CLI from a terminal or pipeline.

On this page

ProfileOrganization (admin only)Billing & PlanCategories (admin only)Email NotificationsTwo-Factor AuthenticationEnablingDisablingWhy TOTP onlyChange PasswordAPI keysNext steps