User Management
Codality uses invite-only authentication. There is no self-registration.
How authentication works
- An admin adds a user's email in Admin → Users
- The user visits the login page and enters their email
- Codality sends a one-time password (OTP) via SendGrid
- The user enters the OTP to log in
Users who have not been invited by an admin cannot log in. The OTP request is rejected for unknown emails.
Roles
| Role | Permissions |
|---|---|
| Admin | Full access. Can manage users, change settings, configure prompts. |
| Member | Can create and manage tickets, run the agent, create plans. Cannot manage users or change admin settings. |
First admin
The first user is created via the setup code displayed in the server console on first startup. This user is automatically an admin.
Inviting users
Go to Admin → Users tab. Enter the user's email, optional name, and role. Click Add User.
The user can now log in with their email. No invitation email is sent — just tell them the URL.
Managing users
From the Users tab, you can:
- Promote to admin — Click the role toggle
- Demote to member — Click the role toggle (requires confirmation)
- Remove — Click remove. The user can no longer log in.
Note: You cannot demote or remove yourself. This prevents accidentally locking yourself out.
Git identity
Each user has a git identity used when the agent commits and pushes code on their behalf. Configure it in Profile → Git Identity.
| Field | Purpose | Default |
|---|---|---|
| Git name | The GIT_AUTHOR_NAME / GIT_COMMITTER_NAME |
User's Codality display name |
| Git email | The GIT_AUTHOR_EMAIL / GIT_COMMITTER_EMAIL |
User's Codality email |
These are set as environment variables in the Docker sandbox and passed to all git operations.
SSH keys
Each user gets an auto-generated ED25519 SSH keypair on their first agent run. The key is used for pushing code to git remotes.
View your public key: Go to Profile → SSH Key.
Add to your Git host: Copy the public key and add it as a deploy key (with write access) on your repository. See Server Setup → SSH Keys for details.
Regenerate: Click Generate New Key in Profile. The old key is replaced — update your deploy keys.
SSH keys are stored at {WORKTREE_BASE}/../ssh/{user_id}/id_ed25519.
Session management
Sessions are token-based. Login creates a random 32-byte token sent to the client as a session cookie. The server stores a SHA-256 hash of the token in the database.
Sessions have a sliding expiry window: they auto-extend when accessed within 3 days of expiration. Changing the SESSION_SECRET environment variable does not invalidate sessions (they are token-based, not signed).
OTP rate limiting
Failed OTP verification is rate-limited: 5 failed attempts per email within a 15-minute window triggers a 15-minute lockout. Successful verification clears the counter.