Admin Panel
Theme, Users, Roles, Plans, Comp overrides, MCP tokens — every UI you'll touch.
Admin Panel
Every operation surfaces in auth.wolfieguard.com/admin. Login is your WolfieAuth account itself (with MFA). The sections below mirror the navigation you’ll see on the left.
Apps (/admin/clients)
The catalog of OidcClients you’ve registered. Each row shows clientId, owner org, redirect URIs, plan count. Click into one to access its tabs:
Overview / Config
clientId (immutable after create), name, description, redirect URIs, scopes, grant types, token endpoint auth method, PKCE requirement, trust flag (skip consent), active toggle. Rotate-secret button at the bottom — shows the new secret ONCE.
Theme
Per-app branding for the hosted login page. Subtabs:
- Login — logo, headline, subtitle, primary/accent colors, support email, Terms / Privacy URLs
- Signup — copy overrides, custom consent checkboxes (up to 10), org-signup model picker, approval gate, paywall config
- Advanced — custom CSS, Deployment & SEO flags:
- 🚫 Block SEO indexing — SDK injects
X-Robots-Tag: noindex, nofollowon every response. Use for staging/dev variants. - 🔒 HTTP Basic Auth gate — pre-launch shibboleth shared by your team. Username + password + realm. SDK challenges browsers BEFORE the OIDC flow runs. Password lives server-side; verification via
/api/public/clients/:clientId/basic-auth/verify.
- 🚫 Block SEO indexing — SDK injects
Users
Per-app user directory. Three sections:
- Roles section (button up top) — lists OrgRoles for the app’s owner org. + Nowa rola opens a checkbox-grouped permission picker (11 categories: Org, Members, Clients, Billing, Plans, Audit, Webhooks, Roles, SAML/SCIM, Persons, ReBAC). Each row shows the canonical perm key + a Polish description of what it actually grants. 📋 Use template applies one of the five canonical SaaS shapes (Solo / B2B Team / B2B Hierarchical / Marketplace / Internal Tool).
- + Dodaj usera form — three flavours depending on app kind. WP/Perfex hit the source-app REST API. SvelteKit/unknown apps get a generic form: email / display name / password (with 🎲 generator) / external user id / “rola w aplikacji” string (free-form, lands in
LinkedAccount.role) / OrgRole picker (RBAC, lands inOrgMembership.roleId). - Linked users table — every account that has SSO’d into this app. Columns: email, external ID, role, ∞ toggle (per-(user, app) free-pass override — flips on/off in one click), 🗑 delete. The ∞ toggle creates an
AppEntitlementOverriderow; OIDC claim emitter synth-injects a plan entry so the user sees ACTIVE without paying.
Plans
Plan catalog for this app. Use template for canonical pricing models, + Nowy plan for hand-rolled. Each plan card shows:
- Toggles: Active / Default / Featured / Require 2FA
- Feature flag chips (free-form, your app interprets)
- Limits JSON
- Price rows (one per currency × interval × country combo)
- Sync to Stripe button — provisions Product + Price on the owner org’s Connect account
- Preview — renders what your customers see at
/billing/<clientId>
JWT Templates
Per-OidcClient JSON templates merged into the id_token. Useful for Hasura permissions, edge auth, lambda authorizers without DB hits. Free-form JSON with {{user.x}} interpolation against the standard claims.
Self-Signup
Configure the public signup endpoint for this app. Toggle on/off, rotate the signup secret, set a custom redirect URL.
Organizations (/admin/organizations)
The orgs registered against your platform. Each row shows: name, slug, tier (GUEST / STANDARD / ANOINTED / PLATFORM), member count, plan, Stripe Connect status.
Overview tab
Branding (logo, support email, contact email), tier, hierarchy (parent/children), close-org button (soft-delete, retention sweep eventually fires).
Members tab
Every user with an OrgMembership. Add via email invite, edit kind (MEMBER / ADMIN / SPECIAL_ADMIN / GUEST), assign OrgRole, remove. Bulk invite paste box accepts comma-separated emails.
Roles & Access tab
OrgRole CRUD — same UI as the per-app #users → Roles section, just scoped to the org directly. Useful when you have multiple apps in one org and want to manage roles centrally.
Integrations tab
- Webhooks — register endpoints for org-scoped events (
user.created,subscription.updated, …). Show last-N deliveries with retry button. - Domains — verify custom domains for SSO (e.g.
auth.acme.comCNAME’d to wolfieauth) - API Keys — long-lived keys for the app’s REST API
- 🔌 MCP Tokens — sandboxed MCP tokens for THIS org. Mint with
org_*scopes, set per-token rate limit (requestsPerMinute), set expiry. Token shown ONCE in a copyable box. Each token cannot see or affect other orgs by design.
Billing tab
Stripe Connect onboarding link, account status, subscription list, recent payments, platform-fee accruals, KSeF invoice references.
Users (/admin/users)
Cross-org user directory (SUPER_ADMIN only sees all). Filter by org / app / role. Per-row actions: lock account, revoke all sessions, deprovision-everywhere (cascade delete from every linked app).
Sessions (/admin/sessions)
Active OIDC sessions across the platform. Filter by user / app / org. Revoke individual sessions. Anomaly-flagged sessions (impossible travel, new country) highlighted in red.
Alerts (/admin/alerts)
Security alerts queue: new client registrations, suspicious logins, lock-out triggers, anomaly detections. Mark resolved, add notes.
Audit (/admin/audit)
Append-only log of every mutation. Filter by event type, user, app, org, date range. Export to CSV/JSON for compliance.
Consents & GDPR (/admin/consents)
Per-user consent grants and revocations. Trigger GDPR exports (user data dump as JSON), trigger account deletion with retention sweep.
Settings (/admin/settings)
Tabs:
- Konto — your own profile (email, name, MFA, recovery codes)
- Pricing (SUPER_ADMIN) — wolfieauth-platform self-pricing (the per-seat plan customers use to pay for WolfieAuth itself)
- Branding (SUPER_ADMIN) — platform-wide brand defaults (fallback when an app has no theme)
- Discounts (SUPER_ADMIN) — Stripe coupons + promotion codes on the platform account
- Advanced (SUPER_ADMIN) — feature flags, retention windows, platform fee rate
MCP Tokens
Two surfaces depending on which kind:
- Platform tokens (SUPER_ADMIN only) —
/admin/mcp-tokens. Cross-org admin (lock_user, anoint_org, list_organizations…). Token’s org = platform-owner. - Org tokens (SPECIAL_ADMIN of org) —
/admin/organizations/<id>#integrations → 🔌 MCP Tokens. Sandboxed to that one org. Cannot touch other orgs by design.
See SSO & Sessions for the security model behind the two-level isolation.
Continue reading
- Getting Started — register your first app
- SDKs — drop into your stack
Last updated: