Sign in
Gray’s account lives on your box, not on a Gray cloud. Sign-in is deliberately simple: your email and a 6-digit code.
First sign-in
Section titled “First sign-in”- Enter your email. You get a 6-digit code (valid 10 minutes, 5 attempts).
- Enter the code.
- When you connect a brand-new box you’ll also be asked for its one-time box code, printed by the installer on the box — this one-time step binds the first account to the box. See Set up your box.
The first successful sign-in on an unclaimed box creates the box’s owner account.
Where does a box’s sign-in code come from?
Section titled “Where does a box’s sign-in code come from?”When the box itself issues your sign-in code, delivery is operator-configured: with nothing set up the code is printed to the box’s journal — the app shows this exact command, tap-to-copy:
journalctl -u gray-server | grep -i 'sign-in code'Set RESEND_API_KEY or the SMTP variables in
Configuration reference to have it actually emailed.
Returning
Section titled “Returning”Sign back in with the same email + 6-digit code flow.
Rate limits
Section titled “Rate limits”The box throttles code requests (1/minute, 5/hour per email; 5/hour per IP) and locks a code after 5 wrong attempts. If you’re locked out, wait for the window shown in the app.
No code arriving on a claimed box?
Section titled “No code arriving on a claimed box?”A claimed box only issues sign-in codes to the email it was set up with — any other address gets silence, on purpose. Use the email you set the box up with, or have its current owner release the box (Me → Account, delete the account on the box); the next fresh sign-in mints a new box code. See Box code.
Signing out everywhere
Section titled “Signing out everywhere”Me → Account signs you out on the device. To kill the box-side session — for example after a security alert — the Lock down & revoke session action invalidates the bearer; every device returns to the sign-in gate. See Security model.