Account Management covers platform users, roles, account status, subscription or balance, security actions, and sign-in policy. The actual admin console has separate Accounts and Login & auth menus; this guide combines them around the administrator workflow.
Entry Point#
Open Accounts in the admin console to manage users. Open Login & auth to manage sign-in methods, registration, email verification, identity providers, and login security.
Only administrator accounts can access the admin console. High-risk changes such as super administrator protection, last-super-admin protection, and identity provider default roles are guarded by permission checks and safety rules.
User List#
The user list supports searching username, display name, email, and Public ID. It can be filtered by role, status, and subscription status, and sorted by newest ID, last login, last update, or display name.
Rows show account information, role, status, subscription or balance, timezone, and last login time. The billing fields change with billing mode: period billing focuses on subscription plan and expiry, while usage billing focuses on account balance.
Create and Edit Users#
Use Create to add a normal user account with username, display name, password, email, phone, language, timezone, and preferences. Passwords must satisfy the platform policy.
The user editor is organized into profile, access and region, billing, security, and system information. Administrators can adjust role, status, profile fields, language, timezone, preferences, and billing fields available in the current billing mode.
When changing account status, add a reason when possible so later audits are easier. Suspend, deactivate, and delete actions affect sign-in and access, so confirm the business impact first.
Bulk Actions#
The list supports selecting multiple users and applying role, status, timezone, balance, or deletion changes in bulk. Bulk actions show a confirmation dialog and are useful for organization migration, temporary blocks, billing initialization, and cleanup.
Before bulk changes, narrow the list with filters and verify the selected users. Deletion is permanent; prefer suspend or deactivate unless the account data truly should be removed.
Security Actions#
The user details menu includes reset password, reset two-factor authentication, and revoke sessions.
| Action | Purpose |
|---|---|
| Reset password | Set a new password for the user. |
| Reset two-factor authentication | Clear the user's two-factor setup and revoke active sessions, useful when an authenticator is lost. |
| Revoke sessions | Invalidate signed-in devices for the user, useful for suspected exposure or offboarding. |
These actions affect the user's sign-in state. Confirm the user's identity and request source before acting, then tell the user to sign in again and complete any required security setup.
Sign-In and Registration#
Login & auth controls email sign-in, username sign-in, email registration, and third-party sign-in.
Before disabling username and email sign-in, enable third-party sign-in and make sure at least one administrator has a linked identity provider. Email registration can be combined with email verification, allowed domains, and plus-alias blocking.
Email Verification and Human Verification#
When email verification is enabled, registration, email changes, and some security flows depend on verification emails. SMTP host, port, username, password, and sender must be configured.
Human verification reduces automated registration. It affects email registration only, not third-party sign-in. Enable email registration first, then configure Turnstile keys.
Identity Providers#
Third-party sign-in supports OIDC / OAuth2 identity providers. Administrators can create, edit, order, enable login control, enable registration control, configure logo, client information, endpoints, scopes, and field mapping.
Login control decides whether existing users can sign in with the provider. Registration control decides whether the provider can create accounts. Auto-linking by email only happens when the provider returns a verified email.
Deleting an identity provider affects linked users. If any account depends only on that provider, the console warns about the risk. Make sure those users have a password or another provider before deletion.
Login Security#
Login security controls session lifetime, access token lifetime, failed-login lock threshold, lock duration, and platform rate limiting. Shorter lifetimes fit higher-security environments; longer lifetimes fit trusted internal deployments.
Failed-login lock helps reduce password guessing. Platform rate limiting controls high-frequency access; if an outer gateway already enforces rate limits, decide whether to keep the built-in limiter based on deployment policy.
Practical Tips#
Configure at least two reliable administrator sign-in paths before opening registration or third-party sign-in. Prefer suspend, deactivate, and revoke sessions for routine account control; delete only when retention is no longer needed. After changing auth policy, verify that an administrator can still sign in.