diff --git a/aid/config.go b/aid/config.go
index be64b38..1970b24 100644
--- a/aid/config.go
+++ b/aid/config.go
@@ -34,6 +34,7 @@ type CS struct {
 		Season int
 		Build float64
 		Everything bool
+		Password bool
 	}
 }
 
@@ -132,4 +133,5 @@ func LoadConfig(file []byte) {
 
 	Config.Fortnite.Season = parsedSeason
 	Config.Fortnite.Everything = cfg.Section("fortnite").Key("everything").MustBool(false)
+	Config.Fortnite.Password = cfg.Section("fortnite").Key("password").MustBool(false)
 }
\ No newline at end of file
diff --git a/default.config.ini b/default.config.ini
index 441ec9b..ad57fde 100644
--- a/default.config.ini
+++ b/default.config.ini
@@ -1,7 +1,7 @@
 [database]
 ; connect string
 uri="host=localhost user=postgres password=pass dbname=snow port=5432 sslmode=disable"
-; postgres
+; currently only postgres is supported. memory and mongo will be added in the future
 type="postgres"
 ; drop all tables at start of program
 drop=false
@@ -29,6 +29,7 @@ port=":3000"
 ; host that the api is running on
 ; e.g. if you are running the api on your local machine, you would set this to 127.0.0.1
 ; if you are running the api on a server, you would set this to the ip of the server or the domain name
+; localhost will not work with the xmpp from testing
 host="127.0.0.1"
 
 [jwt]
@@ -40,3 +41,7 @@ secret="secret"
 build=5.41
 ; own every cosmetic in the game. this applies to all accounts
 everything=true
+; enable or disable the requirement of password to login to an account
+; if this is set to false, you can login to any account with just the username
+; if this is true you must login using an exchange code given by the bot
+password=true
\ No newline at end of file
diff --git a/handlers/auth.go b/handlers/auth.go
index 52ae1e3..42cfffa 100644
--- a/handlers/auth.go
+++ b/handlers/auth.go
@@ -123,6 +123,10 @@ func PostTokenExchangeCode(c *fiber.Ctx, body *FortniteTokenBody) error {
 }
 
 func PostTokenPassword(c *fiber.Ctx, body *FortniteTokenBody) error {
+	if aid.Config.Fortnite.Password {
+		return c.Status(fiber.StatusBadRequest).JSON(aid.ErrorBadRequest("Password Login is disabled for security reasons. Please use an Exchange Code given by the discord bot."))
+	}
+
 	if body.Username == "" || body.Password == "" {
 		return c.Status(fiber.StatusBadRequest).JSON(aid.ErrorBadRequest("Username/Password is empty"))
 	}
diff --git a/handlers/client.go b/handlers/client.go
index 6335159..d1098a7 100644
--- a/handlers/client.go
+++ b/handlers/client.go
@@ -101,7 +101,7 @@ func PostClientProfileAction(c *fiber.Ctx) error {
 		})
 
 		profile.ClearProfileChanges()
-		profile.Save()
+		go profile.Save()
 	}
 
 	return c.Status(200).JSON(aid.JSON{