Skip to main content

First Login and Roles

OTP login flow

  1. User requests OTP at POST /api/auth/request-otp.
  2. OTP code is sent to email (Mailpit in local environment).
  3. User verifies code with POST /api/auth/verify-otp.
  4. App receives JWT token and user profile.

OTP constraints

  • 8-digit code.
  • Valid for 10 minutes.
  • Rate limit: max 3 requests per 10 minutes per email.
  • Domain must exist in allowed_domains.

Role assignment

  • If email is listed in developer_emails -> role developer.
  • Otherwise -> role user.

Role mapping happens on first user creation and is managed by admin settings/user management later.

First boot checklist

  • Add your company domains in settings.
  • Add first developer emails.
  • Confirm outgoing email provider works (/api/settings/test-email).