Users & roles

Two roles: admin and regular. Both can send and receive packages; admins additionally see/manage everyone's packages, users, settings, webhooks, and audit log.

Roles in detail

Creating users

Web UI

1. Sign in as admin → Users in the top nav
2. Scroll to "Create user"
3. Enter email, display name, password (≥10 chars), role
4. Click Create

CLI

# Bare-metal:
sudo -u speedyfiles /opt/speedyfiles/.venv/bin/python -m app.cli create-user \
  --email new@example.com --name 'New Person' \
  --role regular --password 'their-temp-password'

# Docker:
docker exec speedyfiles python -m app.cli create-user \
  --email new@example.com --name 'New Person' \
  --role regular --password 'their-temp-password'

First-run wizard

On a fresh install, the first user is created via /setup and is automatically the admin. See First-run wizard.

Password policy

• argon2id hashing
• Minimum 10 characters (enforced at create + change time)
• No complexity requirements (rely on length)
• No history

Disabling a user

Admin → Users → Disable button next to the user. Disabled users:

• Can't log in (401)
• Their API tokens are immediately invalidated
• Their existing magic links remain valid (they were issued to recipients, not the disabled user)
• Their packages remain visible to admins, and are still accessible via their magic links

To fully remove a user's footprint: delete all their packages first, then disable.

Password reset (for users)

The forgot-password page sends an emailed reset link valid for 2 hours. Single-use.

Admins can also reset a password directly from Users → click the user's row → "Reset password" → enter new password.

OIDC / SSO

On the roadmap for v0.2. Track at GitHub Issues under the oidc label. Until then, all auth is local.