Otper

Guides

Otper guides

Practical guidance for teams running real production work — how each part of Otper improves visibility, accountability, and operational throughput.

Getting started

A workspace is only useful in production if every person, decision, and deadline is accountable from day one. The steps below establish that baseline.

Create your account

Every action in Otper is attributed to a verified identity, so your audit trail is intact from the first card forward. Sign up with a password or a one-time email link — either path leaves you with a recoverable, MFA-ready account.

Set up your first board

A board is a single, shared source of truth for one stream of work. Standardising on one board per stream eliminates the "where is this tracked?" tax that costs production teams hours every week. New boards start with To do, In progress, and Done, which you adapt to match your real workflow.

Invite teammates

Bringing the team in with role-scoped access from the start enforces least-privilege by default — you don't have to retrofit access control once a project is live. Invitations go out by email; new members join with an existing account or sign up fresh.

Boards & cards

How work is structured determines what your team can ship — and how confidently they can ship it. These primitives are designed to surface bottlenecks before they become incidents.

Lists

Each list is a stage in your workflow. Visualising work stage-by-stage makes queue buildup and WIP overload visible in seconds, instead of being discovered weeks later in a retro. Reorder or rename lists to match the way your team actually delivers.

Cards

Every card is the durable, attributable record of one unit of work. Description, members, labels, due dates, checklists, comments, and attachments all live on it — so on-call handoffs, audits, and onboarding all read the same story without anyone having to reconstruct context from chat.

Moving a card between lists records a status change against the people responsible, giving you a clean trail from intake through delivery.

Labels & due dates

Labels turn ad-hoc categorisation into a consistent signal your team and dashboards can rely on — by type, priority, customer, or any axis your operation cares about. Due dates make commitments explicit, and surface slipping work before deadlines are missed rather than after.

Comments & attachments

Decisions made in chat get lost; decisions made on a card stay searchable. Keeping discussion in context means a new team member can pick up an in-flight piece of work without a meeting, and a post-incident review still has the evidence intact. Mention a teammate with @name; attach files by drag-and-drop, or capture a photo from the mobile app.

Account & security

Account access is one of the highest-leverage attack surfaces in any team. These controls close the most common paths to compromise without adding friction for legitimate users.

Sign-in methods

Pick the strongest method your team can adopt. Each option is designed to remove a class of risk rather than just check a box.

  • Passkey (WebAuthn) — eliminates password reuse and phishing as failure modes entirely; authentication is bound to the user's device.
  • Email magic link — removes password-storage risk for accounts that don't yet have a passkey.
  • Password — stored as a salted bcrypt hash, never in plain text; pair with MFA to make a stolen password a near miss instead of a breach.

Multi-factor authentication

A second factor turns a stolen credential into a near miss instead of an account takeover. Choose an authenticator-app code (TOTP) or an email one-time code from your account security settings, and generate recovery codes so a lost device never locks you out of your own workspace.

Sessions & API tokens

When a device is lost or a team member leaves, incident response is measured in minutes — not in how long a password rotation takes to propagate. Every active session, registered passkey, and issued API token can be reviewed and revoked individually from your account settings, with effect taking hold immediately.

Mobile app

The mobile app extends production access to wherever the work actually happens, while keeping the same security and permissions model as the web.

Device permissions

Permissions are requested only when a feature needs them — never up-front. This least-privilege model means a stolen or compromised device gives an attacker no broader access than the user had actively granted in the moment.

  • Camera — requested when attaching a photo to a card or setting a profile picture.
  • Photo library — requested when attaching existing media or saving downloaded files.
  • Microphone — requested when capturing audio for a video attachment.
  • Notifications — requested for download completion and mention alerts.

Any of these can be revoked from device settings at any time, with no impact on the rest of the app.

Notifications

Alert fatigue is the silent killer of operational hygiene. Granular notification preferences — all activity, due dates only, comments and mentions only, or none — let each person tune signal-to-noise to their role. Security and sign-in alerts always come through, regardless of the preference set.

Need help adopting Otper at scale, or have a question that isn't covered here? Reach out to our team.