HeadLockr has finally launched 🚀, click here to get HeadLockr for free!

Available now

Unlock Ultimate Security for Your Strapi APIs.

The only Plug & Play Multi-Factor Authentication solution built exclusively for Strapi. Effortless to install. Seamless to scale. Unmatched protection.

Start your free trialLearn More
Background
boy
girl
ManWithComputer

Simplify API Security. Focus on
Building.

SMS-based authentication

Enable SMS verification to send a unique one-time code

SMS

Backup codes

Generate one-time backup codes for users, ensuring they can access their accounts.

27ad3672yhdkso
632skd8278dsha
984sjakldj938e3
74shdj2778shfhjs
y764837dhgcch2
dhgsajdgh28731
dkhgd22187371s
746186sdshdk23
idsajh2736169sd
412761876sdhsd

Authentication with TOTP

Add an extra layer of security to your Strapi
instance with time-based one-time passwords.

Discord

Discord

[email protected]

123456

Google

Google

[email protected]

654321

Facebook

Facebook

[email protected]

987654

Headlockr

Headlockr

[email protected]

456789

Multi-device compatibility

Support multiple devices

Imac Peter

Imac Peter

Ipad Anna

Ipad Anna

Iphone John

Iphone John

Macbook Jane

Macbook Jane

Effortless, no-code setup

Quickly integrate MFA into your Strapi CMS without writing a single line of code. Privacy first design, no cloud involved.

Todo

Built for Developers.
Powered by Security.

WarningStrapi Logo

Welcome to Strapi

Log in to your Strapi account

You've been hacked muahahahaha 😈😈😈😈😈

Hacker
Logo

2-step verification

2-step verification has been enabled for this account. Please enter the one-time code from your authenticator app.

Try another method to verify
Sidebar
Congratulations

Congratulations!

You have successfully secured your system with Multifactor Authentication (MFA). Now, your system is protected from unauthorized access, brute-force, phishing, and other attacks.

Unsecured Without MFA

Without Multifactor Authentication (MFA), your system is vulnerable to brute-force, phishing, and man-in-the-middle attacks, allowing unauthorized access.

Ready to secure your Strapi CMS?

Experience the future of Strapi security with our multi-factor authentication plugin. Designed for developers, built for simplicity—get started today with a seamless setup and cutting-edge protection for your CMS.

ratingratingratingratingrating
Try Headlockr now
Pierre

HeadLockr is the extra security layer your Strapi project needs to support Multi-Factor Authentication
Strapi

Pierre Burgy

CEO, Strapi

man

Built for Performance .
Designed for Security.

From admin panel to content API (coming soon), every part of your Strapi project is protected. Multi-factor authentication that’s effortless to set up and powerful enough to keep your APIs secure. Whether you use SMS, TOTP, or email, our plugin adapts to your workflow.

With Multi-factor Authentication (MFA), your system is protected against brute-force, phishing, and man-in-the-middle attacks, ensuring that only authorized users can access your Strapi backend.

Enhanced security against unauthorized access

Multi-factor Authentication (MFA) enhances security by adding multiple layers of protection, making unauthorized access significantly more difficult. By requiring multiple forms of identity verification, such as a password, a one-time code, or biometrics, MFA protects your system from common security threats like brute-force attacks, phishing attempts, and man-in-the-middle attacks. This ensures that only users with valid credentials, in addition to a secondary authentication method, can access your Strapi backend, providing a highly secure environment for sensitive data and administrative functions.

MFA adds an extra layer of security to your Strapi backend, making it harder for attackers to gain unauthorized access by requiring multiple forms of verification.

Protection against credential theft

In today’s digital environment, credential theft is a prevalent risk as attackers use stolen passwords to gain unauthorized access to systems. MFA significantly reduces this threat by requiring an additional verification step, beyond the traditional username and password, for each user. Even if an attacker obtains a user's login credentials, they won’t be able to gain access without passing the secondary authentication. This makes MFA an effective defense against a range of security threats, such as social engineering and spear-phishing attacks, by adding a strong layer of protection to your Strapi backend.

MFA is a recommended security best practice by industry standards such as NIST and GDPR, ensuring that your Strapi backend meets the highest security requirements.

Compliance with industry standards

Adhering to established security standards is crucial for organizations, especially when handling sensitive data. Many industry standards, including NIST, GDPR, and SOC 2, recommend or mandate MFA as part of their compliance frameworks to ensure the protection of user data and maintain trust. By implementing MFA within your Strapi backend, you align with these stringent guidelines, making your infrastructure more robust and compliant with industry regulations. This also demonstrates your commitment to upholding high-security standards, giving clients and stakeholders confidence in your system's integrity.

Our MFA plugin is designed for developers of all skill levels, with an easy, no-code setup that allows you to quickly integrate MFA into your Strapi project without any hassle.

Easy integration with no-code setup

Security doesn’t have to be complicated, and our MFA plugin is designed with that in mind. The no-code setup means that even developers with minimal experience can configure and deploy MFA in their Strapi projects without needing extensive knowledge of complex security protocols. With intuitive configuration options, our plugin provides a straightforward integration process, allowing you to add MFA with just a few clicks. This empowers teams to enhance their security posture without investing significant time or resources into setup, ensuring a hassle-free experience for developers at any skill level.

Our MFA plugin offers a range of security features, including SMS, TOTP, and email verification, to give you peace of mind knowing that your Strapi backend is secure.

Robust security features for peace of mind

Our MFA plugin is equipped with multiple authentication options, including SMS-based verification, Time-Based One-Time Passwords (TOTP), and email verification, giving you flexibility to choose the method that best suits your needs. These options enable stronger protection for your backend, ensuring that only authorized users can gain access. The plugin’s security features are designed to adapt to evolving security requirements, making it easy to scale as your user base grows. This robust suite of features provides peace of mind, knowing that your backend is well-protected against unauthorized access and data breaches.

MFA is designed to provide an effortless user experience, with seamless authentication that adapts to your workflow, making it easy for users to access your Strapi backend securely.

Effortless user experience for seamless authentication

Security should not come at the cost of user experience. Our MFA plugin is designed to be as unobtrusive as possible, providing an authentication process that integrates seamlessly with your users’ workflow. The plugin offers an adaptable authentication experience, allowing users to access your Strapi backend without unnecessary friction, while still ensuring high security. Whether accessing the backend for administrative tasks or content management, users will experience a smooth, intuitive process that doesn’t compromise on security, making it easy and enjoyable to use your Strapi application.

Enhanced security against unauthorized access

Multi-factor Authentication (MFA) enhances security by adding multiple layers of protection, making unauthorized access significantly more difficult. By requiring multiple forms of identity verification, such as a password, a one-time code, or biometrics, MFA protects your system from common security threats like brute-force attacks, phishing attempts, and man-in-the-middle attacks. This ensures that only users with valid credentials, in addition to a secondary authentication method, can access your Strapi backend, providing a highly secure environment for sensitive data and administrative functions.

Enhanced security against unauthorized access

Powerful features for
powerful creators

Choose a plan that’s right for you

Individual

Ideal for individuals with basic MFA needs

€9,99 / Month

Get Started Now
  • ✔️1 project
  • ✔️Secure Strapi admin panel with MFA
  • ✔️Full MFA access (SMS, Email, TOTP, Backup codes)
  • ✔️Email verification 2FA
  • Early access to new features
  • Multi project license

Developer

Best value for multi-project developers with early access to premium features

€22,99 / Month

Get Started Now
  • ✔️Everything from the individual plan
  • ✔️3 projects
  • ✔️Priority updates
  • ✔️Early access to new features (SDK, React components)
  • ✔️Multi-project support
  • ✔️Email support
  • ✔️Backup codes for device recovery
Most Popular

Agency

Ideal for businesses who need MFA security at large scale

€29,99 / Month

Get Started Now
  • ✔️Everything from the Developer plan
  • ✔️Supports up to 7-10 projects
  • ✔️Priority updates
  • ✔️Early access to new features (SDK, React components)
  • ✔️Multi-project support
  • ✔️Email support
  • ✔️Backup codes for device recovery
  • ✔️Premium support (response time < 4h)

Individual

Ideal for individuals with basic MFA needs

€9,99 / Month

Get Started Now
  • ✔️

    1 project

  • ✔️

    Secure Strapi admin panel with MFA

  • ✔️

    Full MFA access (SMS, Email, TOTP, Backup codes)

  • ✔️

    Email verification 2FA

  • Early access to new features

  • Multi project license

Developer

Best value for multi-project developers with early access to premium features

€22,99 / Month

Get Started Now
  • ✔️

    Everything from the individual plan

  • ✔️

    3 projects

  • ✔️

    Priority updates

  • ✔️

    Early access to new features (SDK, React components)

  • ✔️

    Multi-project support

  • ✔️

    Email support

  • ✔️

    Backup codes for device recovery

Most Popular

Agency

Ideal for businesses who need MFA security at large scale

€29,99 / Month

Get Started Now
  • ✔️

    Everything from the Developer plan

  • ✔️

    Supports up to 7-10 projects

  • ✔️

    Priority updates

  • ✔️

    Early access to new features (SDK, React components)

  • ✔️

    Multi-project support

  • ✔️

    Email support

  • ✔️

    Backup codes for device recovery

  • ✔️

    Premium support (response time < 4h)

male

14-day money back! 🤯

Need Something More?
Let’s Talk.

If your project requires more than what’s offered in our standard plans, we’ve got you covered. Whether you need custom solutions, enterprise-level support, or have specific security requirements, we’re here to help.

Contact Us
female

Frequently Asked Questions

Headlocks is a multifactor authentication plugin built for Strapi. It supports multiple authentication methods, including SMS, email, and TOTP. It's plug and play, easy to use, and highly customizable. Headlockr protects your admin panel and content API from unauthorized access and data breaches. It adds an extra layer of security to your Strapi project, making it more secure and compliant with data protection regulations.

To install Headlockr, you will need to download the plugin via npm and install it in your Strapi project. In order to be able to download the software you'll need a valid license to do so. After installation you can configure the plugin settings and enable it for the desired authentication methods. We do have dedicated documentation https://docs.headlockr.io/ where you can follow the installation guide step by step.

MFA stands for Multi-Factor Authentication. It is a security feature that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.

MFA works by requiring two or more of the following authentication methods: something you know (like a password), something you have (like a phone or hardware token), or something you are (like a fingerprint).

MFA provides an additional layer of security to protect your accounts and data from unauthorized access. It reduces the risk of unauthorized access, credential theft, and compliance risks.

To set up MFA, you need to enable it in the settings of your account or application. You can choose from various authentication methods like SMS, TOTP, and backup codes.

If you lose access to your MFA device, you may be locked out of your account. As a last resort you can use backup codes to regain access to your account. Make sure to store your backup codes in a safe place. In case you lose your backup codes, you can contact your administrator or customer support.

MFA and 2FA are often used interchangeably, but there is a subtle difference between the two. MFA stands for Multi-Factor Authentication, which requires two or more methods of authentication from independent categories of credentials. 2FA stands for Two-Factor Authentication, which requires two methods of authentication from two different categories of credentials.

MFA is considered a best practice for securing your accounts and data from unauthorized access. It adds an extra layer of security by requiring multiple methods of authentication. While no security measure is foolproof or 100% secure, MFA significantly reduces the risk of unauthorized access, credential theft, and compliance risks.

MFA can be bypassed in some cases, but it significantly reduces the risk of unauthorized access and credential theft. It is not immune to attacks though. Some sophisticated attackers may be able to bypass MFA through social engineering, phishing, or other methods. It is important to remain vigilant and follow best practices for securing your accounts. To enhance security, you can use additional security measures like strong passwords, regular software updates, and security monitoring.

Seamless integration with
your existing Strapi setup

No need for complex configurations. Our plugin is designed for quick and easy integration with Strapi, allowing you to enhance security without disrupting your workflow.

Add this to your .npmrc file

Loading code block

Copy

Just run this command to start installing MFA for Strapi

yarn add @headlockr/headlockr @tanstack/react-query@^5.56.2
Copy

Add this to your .npmrc file

Loading code block

Copy

Just run this command to start installing MFA for Strapi

npm install @headlockr/headlockr
Copy

Add the license key that you received by email into the .env file

HEADLOCKR_LICENSE_KEY=enter-your-license-key-here
Copy

In order for Headlockr to function properly in your admin panel, you'll need to make a slight modification to /src/admin/webpack.config.js file

Copy

That’s it. Check out our documentation to ensure you have the latest instructions.

Get monthly product
updates from Headlockr

Sign up for our newsletter

And dont worry we wont spam you till death cause in the end this is about developing and securing your Strapi.

By filling out this form, you agree to our privacy policy. This form is protected by reCAPTCHA and Google’s Privacy Policy and Terms of Service apply.

© 2025 copyright Headlockr, all rights reserved