Improve this doc

Account management

Sign up

In order to use balena and deploy code to devices you will need a balena account.

If you don't already have an account head over to our signup page. You can sign up with a GitHub or Google account or via an email address. When you create your account, you will be asked to create a password for the account. Your password needs to be at least 8 characters long.

Password reset

If you forget your password, you may request to reset it via the password reset page. Enter the email address associated with your balenaCloud account. If the email address has an associated account, a password reset link will be sent to that address. Following the link, you will be able to enter a new password.

Add a password to social login

To add a password to an account created with a social login (Google, Github), navigate to the Preferences page found by clicking on your profile in the top right of the dashboard. Under the Account details tab you can set a password for your account.

Access tokens

Access tokens are used for authentication in the balena API, CLI, and Node.js and Python SDKs. They are managed in the Access tokens tab of the Preferences page, which can be found via the dropdown menu in the upper-right corner of the dashboard:

There are two types of access tokens: session tokens and API keys. Both authentication types provide user-level permissions, meaning any user or application with one of these tokens can make changes across devices, fleets, and the user account.

Session tokens

Session tokens are retrieved from the Preferences page, and they can be refreshed with the API. These tokens expire after seven days, and they cannot be revoked.

API keys

API keys are named tokens that do not expire and can be revoked as needed. To create a new API key, make sure you are in the Access tokens tab of the Preferences page, then select Create API key:

Create API Key

You'll see a required field for Token name, as well as an optional field for Token description:

Name API Key

When you click Create token, you will see a dialog with the new API key:

API Key Warning

Warning: This is your only opportunity to see the key, so make sure to download or copy to a secure location!

After you close the dialog, you'll see your API key in the list, complete with name, date of creation, and description:

List API Keys

To revoke one or more API keys, select the boxes to the left of the tokens you wish to remove, then click Delete selected:

Delete API Key

API keys can also be generated using the API, CLI, and Node.js and Python SDKs.

Fleet members

When a fleet needs to be shared with more than one user, the fleet owner can add new members. With paid accounts, it's possible to assign a level of access for a new member, based on the following types:

Member types

Member Type Add members Delete App Add/Remove device Manage provisioning keys Device specific actions Tags Variables SSH access Push Configuration Fleet specific actions
Administrator Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Developer No No Yes Yes Yes Yes Yes Yes Yes Yes Yes
Operator No No Yes Yes Yes Yes Yes Yes No No No
Observer No No No No No No No No No No No


A new fleet in balenaCloud can only be created by an administrator of an organization. Administrators are the only users who can add other fleet members or delete the fleet. Learn more about the administrator role in an organization.


Observers are given read-only access to the fleet and its devices. They are not able to modify, add, or remove any devices, nor are they able to perform device actions. This role can only be assigned by fleet owners on paid plans.


Operators have all the access given to observers, plus the ability to manage a fleet's devices. This means operators can add and remove devices, generate & revoke provisioning API keys, perform device actions, and modify device tags, metadata, and environment variables. Operators also have full SSH access to the fleet's devices. This role can only be assigned by fleet owners on paid plans.


Developers are given, in addition to the access provided to operators, the ability to manage fleet software. This includes creating new releases, modifying fleet variables, and downloading balenaOS images. This role is the closest to a fleet owner—developers can do everything owners can except for deleting the fleet or adding new members. The Developer role can be assigned by fleet owners on free or paid accounts.

Add a fleet member

To add a new member to your fleet, click on the Members tab of the fleet:

Members Tab

This brings up a list of all fleet members, if any have been assigned. Click on the Add member button in the top left:

Create Application Member

The Add member dialog has a dropdown with descriptions of the member types, as well as information about which types are available based on your billing plan. Choose a level of access, then enter the username or email address of the new member:

Add Application Member

Note: Fleet members must have already signed up for a balena account before they can be added to a fleet.

After you click Add, you will see the username of the new member in the list. From here, you can edit access levels or remove the user if necessary:

List Application Members

All users that have been added to a fleet will see that fleet in their dashboard, with an indicator to designate it has been shared by the fleet owner:

Shared Application

Fleet members will have the option to remove themselves from a fleet by clicking on the members tab, selecting the checkbox by their name from the member list, clicking on the Modify button, and selecting delete member.

Warning: If you remove your member access to a fleet, you will not be able to undo the action. Only the fleet owner will be able to restore your access.

Two-factor Authentication

We offer the option to enable Two-factor Authentication - this is a feature that prompts you to input a code from your smartphone/computer in addition to your password, providing an additional layer of security for your account.

Note: We use the industry standard Time-based One-time Password Algorithm to implement this functionality.

Enabling Two-factor Authentication

Sign up for an account (or log in if you already have one) and go to your preferences page. From here, click on the Two-factor Authentication tab then click Enable two-factor authentication to enable:

Enable two-factor authentication

Next, you will be shown a QR code and prompted for a pairing code as shown below:

Note: Two-factor authentication will only be enabled once you have finished configuring it against your smartphone/computer, so no need to worry about logging out before finishing the configuration then not having access to your account!

Two-factor authentication pairing

In order to use your phone/computer as your added layer of security you will need to download a free authenticator app. There are many available, but one that works well and has been successfully tested against balena is Google Authenticator - download it for Android or iOS.

Once installed, navigate to the barcode scanner:

Note: The Android app is shown here - if you already have accounts installed, tap the 3 vertical dots in the top right-hand corner and select 'Set up account', otherwise you should be given the option when you first start the app.

Google Authenticator Scan Barcode Menu

When you tap the option to scan a barcode your phone will turn on your camera and all you need to do to pair with your account is to simply point it at the QR code displayed on your monitor.

Once configured, you'll see a 6 digit generated code with a graphic beside it indicating a countdown. Once the countdown expires, the code becomes invalid:

Google Authenticator Codes

Next, you'll need to input the displayed code into the 'Pairing code' input on the preferences page. If successful, you will be shown recovery codes that may be used in the event that you cannot access your two-factor authentication app. These codes should be downloaded and stored in a safe place.

Two-factor authentication recovery codes

Once you've downloaded your recovery codes and clicked OK, the next time you log in, you will be prompted for the code displayed in your authenticator app after you've input your username and password. Enjoy your added layer of security!

To disable two-factor authentication, visit the Two-factor Authentication tab of the Account Preference and click Disable two-factor authentication. You will be prompted for your account password before it is disabled.

Two-factor authentication recovery codes

List of verified authenticator apps

Delete account

If you wish to delete your balenaCloud account, go to your Preferences page, and under the Account Details tab, select the Delete Account button. You will need to confirm this action by entering your password. If your account does not have a password, you will be prompted to set one in your account preferences. Upon confirmation, the account will be permanently deleted, including all fleets and devices. If you would also like to request deletion of your data in accordance with GDPR, please refer to the instructions in our privacy policy.

Delete balena Account