User Management
Codality uses invite-only authentication. There is no self-registration.
How authentication works
- An admin adds a user's email in Admin → Users
- The user visits the login page and enters their email
- Codality sends a one-time password (OTP) via SendGrid
- The user enters the OTP to log in
Users who have not been invited by an admin cannot log in. The OTP request is rejected for unknown emails.
Roles
| Role | Permissions |
|---|---|
| Admin | Full access. Can manage users, change settings, configure prompts. |
| Member | Can create and manage tickets, run the agent, create plans. Cannot manage users or change admin settings. |
First admin
The first user is created via the setup code displayed in the server console on first startup. This user is automatically an admin.
Inviting users
Go to Admin → Users tab. Enter the user's email, optional name, and role. Click Add User.
The user can now log in with their email. No invitation email is sent — just tell them the URL.
Managing users
From the Users tab, you can:
- Promote to admin — Click the role toggle
- Demote to member — Click the role toggle (requires confirmation)
- Remove — Click remove. The user can no longer log in.
Note: You cannot demote or remove yourself. This prevents accidentally locking yourself out.
Session management
Sessions are cookie-based. Session cookies are signed with the SESSION_SECRET environment variable. Changing the session secret invalidates all existing sessions.