Leave Localhost logoLeave LocalhostDocs
Admin

Super Admin Panel

A small, read-first platform admin area at /admin, for operators/owners of the product — not for workspace members. It is intentionally minimal: visibility first, plus one guarded support action (suspend/reactivate a workspace).

A small, read-first platform admin area at /admin, for operators/owners of the product — not for workspace members. It is intentionally minimal: visibility first, plus one guarded support action (suspend/reactivate a workspace).

Enabling it

  1. Add your email to SUPER_ADMIN_EMAILS on the Convex deployment (backend functions don't read packages/backend/.env):

    bun --cwd packages/backend convex env set SUPER_ADMIN_EMAILS "you@example.com"
  2. Sign in with a verified email. Google/Microsoft OAuth and magic link verify automatically, and new email/password accounts must verify before they can sign in. Existing unverified password accounts are rejected until they complete email verification.

  3. Keep SUPER_ADMIN_REQUIRE_2FA=true (default) and enrol in two-factor from Settings → Security. For local dev you can set it to false:

    bun --cwd packages/backend convex env set SUPER_ADMIN_REQUIRE_2FA "false"
  4. Reload the dashboard. An Admin item appears in the sidebar under "Platform"; /admin is now reachable.

Troubleshooting "/admin returns 404"

A 404 means the access check returned isSuperAdmin: false — the panel is working as designed, you just don't pass the gate yet. To see the exact reason, call the access query (e.g. from the Convex dashboard or a one-off client call):

api.admin.access.getSuperAdminAccess{ isSuperAdmin, reason }

reason is one of not_authenticated, missing_user, email_not_verified, not_allow_listed, two_factor_required, or ok. Fix the matching item above.

Full access model: Super Admin Access.

What's in the panel

  • Overview (/admin) — recent audit events, recent users, recent workspaces. Bounded lists, no expensive counts.
  • Users (/admin/users) — paginated users with exact-email search and a per-user detail drawer (workspace memberships + roles). See Admin: Users.
  • Workspaces (/admin/workspaces) — paginated workspaces with a status filter, a detail drawer (members, billing snapshot), and the suspend / reactivate actions. See Admin: Workspaces.
  • Audit log (/admin/audit-log) — the full, filterable event history. See Admin: Global Audit Log.

What it is not

By design, the panel does not include: user impersonation, deleting accounts, editing emails/passwords, arbitrary database editing, or arbitrary billing edits. It is not a replacement for the Convex dashboard, the Better Auth dashboard, or your billing provider's dashboard.

Boundaries and safety

  • Access is server-enforced on every query/mutation, not just the route.
  • The single write surface (suspend/reactivate) requires step-up verification and writes audit events for success, failure, and denial.
  • All lists are indexed and paginated, so the panel stays fast as data grows.

Removing it

See Removing the Admin Panel and Audit Log.

On this page