From c7efedc3488e2a83bd49552ce58a676759fce178 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 17 Apr 2026 10:02:55 +0000
Subject: [PATCH 1/3] docs: clarify first-session behaviour in session alerts
 documentation

Agent-Logs-Url: https://github.com/appwrite/website/sessions/ab48e4d6-67e9-41a0-a3ab-7991a41f23b3

Co-authored-by: Meldiron <19310830+Meldiron@users.noreply.github.com>
---
 src/partials/auth-security.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/partials/auth-security.md b/src/partials/auth-security.md
index 2cb4c467b5..e39b95bca0 100644
--- a/src/partials/auth-security.md
+++ b/src/partials/auth-security.md
@@ -57,9 +57,15 @@ Disallowing personal data can be enabled in the Auth service's **Security** tab
 
 # Session alerts {% #session-alerts %}
 
-Enable email alerts for your users so that whenever another session is created for their account, they will be alerted to the new session.
+Enable email alerts for your users so that whenever a new session is created for their account, they will be alerted with details about the sign-in. This helps users quickly spot unauthorized access and take action to secure their account.
 
-You won't receive notifications when logging in using [Magic URL](/docs/products/auth/magic-url), [Email OTP](/docs/products/auth/email-otp), or [OAuth2](/docs/products/auth/oauth2) since these authentication methods already verify user access to their systems, establishing the authentication's legitimacy.
+**When alerts are not sent**
+
+Session alerts are intentionally skipped in a few situations to avoid redundant or confusing emails:
+
+- **First session after sign-up** — the very first sign-in a user makes after creating their account does not trigger an alert. At this point the user has just proven they own their email address, so a second email about the same event adds no security value. It also prevents a double-email situation in flows where your project may already be sending a welcome or verification email.
+- **[Magic URL](/docs/products/auth/magic-url), [Email OTP](/docs/products/auth/email-otp), and [OAuth2](/docs/products/auth/oauth2) sign-ins** — these authentication methods already verify the user's access to the sign-in channel (their inbox or identity provider), so no additional alert is needed.
+- **No email address on file** — users who have not set an email address on their account will not receive alerts.
 
 To toggle session alerts, navigate to **Auth** > **Security** > **Session alerts**.
 

From 95d265351c72e8ec690d188710503e0e0ce2add3 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 17 Apr 2026 10:11:08 +0000
Subject: [PATCH 2/3] docs: rephrase first-session alert exception to not
 reference inbox ownership

Agent-Logs-Url: https://github.com/appwrite/website/sessions/d7226f28-f908-4109-87e9-10d45ba54c47

Co-authored-by: Meldiron <19310830+Meldiron@users.noreply.github.com>
---
 src/partials/auth-security.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/partials/auth-security.md b/src/partials/auth-security.md
index e39b95bca0..4c13bef229 100644
--- a/src/partials/auth-security.md
+++ b/src/partials/auth-security.md
@@ -63,7 +63,7 @@ Enable email alerts for your users so that whenever a new session is created for
 
 Session alerts are intentionally skipped in a few situations to avoid redundant or confusing emails:
 
-- **First session after sign-up** — the very first sign-in a user makes after creating their account does not trigger an alert. At this point the user has just proven they own their email address, so a second email about the same event adds no security value. It also prevents a double-email situation in flows where your project may already be sending a welcome or verification email.
+- **First session after sign-up** — the very first sign-in a user makes after creating their account does not trigger an alert. A brand-new account doesn't yet hold anything worthy of protection, so alerting at this stage adds no real security value. It also prevents a double-email situation in flows where your project may already be sending a welcome or verification email.
 - **[Magic URL](/docs/products/auth/magic-url), [Email OTP](/docs/products/auth/email-otp), and [OAuth2](/docs/products/auth/oauth2) sign-ins** — these authentication methods already verify the user's access to the sign-in channel (their inbox or identity provider), so no additional alert is needed.
 - **No email address on file** — users who have not set an email address on their account will not receive alerts.
 

From 4fbe1389796dfcc0f13772823e02a9776221bed4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Ba=C4=8Do?= <matejbaco2000@gmail.com>
Date: Fri, 17 Apr 2026 16:46:58 +0200
Subject: [PATCH 3/3] Update src/partials/auth-security.md

Co-authored-by: Aditya Oberai <adityaoberai1@gmail.com>
---
 src/partials/auth-security.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/partials/auth-security.md b/src/partials/auth-security.md
index 4c13bef229..7b069504c9 100644
--- a/src/partials/auth-security.md
+++ b/src/partials/auth-security.md
@@ -59,7 +59,7 @@ Disallowing personal data can be enabled in the Auth service's **Security** tab
 
 Enable email alerts for your users so that whenever a new session is created for their account, they will be alerted with details about the sign-in. This helps users quickly spot unauthorized access and take action to secure their account.
 
-**When alerts are not sent**
+## When alerts are not sent
 
 Session alerts are intentionally skipped in a few situations to avoid redundant or confusing emails: