ADMIN · ONBOARDING
Claim admin.
On a fresh deployment, the first person to complete this flow
becomes the superadmin. The check is on the database
(users.role='admin') — once an admin exists, this
page shuts down and refuses further claims.
Checking onboarding availability…
Onboarding is available.
Enter the email address you want to associate with the admin role. We'll email you a one-click link; clicking it grants admin and signs you in.
Rate-limited to 1 attempt per IP per minute. The link is valid for 30 minutes and works only once.
Admin already configured.
A mikrotikfilters admin is already on this deployment. Onboarding is a one-time, irrevocable bootstrap — there's no re-running it.
If you are that admin, sign in normally. If you are not, you don't have a path forward through this page; the operator who claimed admin is the only person who can grant additional roles (mod / supporter promotions arrive in later milestones).
Could not check onboarding status.
The status endpoint did not respond. Reload to retry; if the issue persists, the API may not be reachable yet.
Safeguards
- Database-state gate — availability is
determined by
SELECT COUNT(*) FROM users WHERE role='admin', not a config flag. Resetting config can't re-enable onboarding. - Hard rate limit — 1 attempt per IP per minute during the bootstrap window.
- Same magic-link primitive — onboarding
uses the regular magic-link path, just with an
intent='onboarding'token flag. No bypass; the email click is required. - Audit-logged — initiate AND completion
write rows to
audit_log.