Skip to main content
The admin panel provides centralized control over Anchor’s system settings, user management, and registration policies. Access is restricted to users with admin privileges.

Accessing the Admin Panel

1

Verify Admin Status

Only users with the isAdmin flag set to true can access admin functionality. The first user created during installation is automatically granted admin privileges.
2

Authenticate

All admin endpoints require JWT authentication. Ensure you’re logged in before making requests to /api/admin/* endpoints.
3

Access Admin Routes

Admin endpoints are available at /api/admin/ and are protected by the AdminGuard (server/src/admin/admin.guard.ts:10).
Admin actions can significantly impact your Anchor instance. Always verify changes before applying them, especially when modifying user permissions or registration settings.

Admin Capabilities

The admin panel provides the following core capabilities:

User Management

  • View All Users: List all registered users with pagination support
  • Create Users: Manually create new user accounts
  • Update Users: Modify user details and admin permissions
  • Delete Users: Remove user accounts (with safety checks)
  • Reset Passwords: Generate new passwords for users
  • Approve/Reject: Manage pending user registrations

System Settings

  • Registration Mode: Control how new users can register
  • OIDC Configuration: Configure OpenID Connect authentication
  • System Statistics: View usage metrics and statistics

Statistics Dashboard

Get system-wide statistics: 
GET /api/admin/stats
Response: 
{
  "totalUsers": 42,
  "totalNotes": 1337,
  "totalTags": 89
}
The stats endpoint provides:
  • Total number of users in the system
  • Total number of active notes (excluding deleted)
  • Total number of tags created

Admin Safety Features

Anchor implements several safety mechanisms to prevent accidental system lockouts:

Last Admin Protection

The system prevents removing admin privileges from the last admin user (server/src/admin/admin.service.ts:175):
  • Cannot demote the last admin to regular user
  • Cannot delete the last admin account
  • Ensures at least one admin always exists

Self-Demotion Prevention

Admins cannot remove their own admin status (server/src/admin/admin.service.ts:172), preventing accidental self-lockout.

Cascade Deletion

When a user is deleted, their associated notes and tags are automatically removed through database cascade constraints.

Authentication Flow

All admin endpoints follow this authentication flow:
  1. JWT Validation: Request must include valid JWT token
  2. Admin Check: User must have isAdmin: true flag
  3. Action Authorization: Some actions have additional safety checks

API Endpoints

Statistics

MethodEndpointDescription
GET/api/admin/statsGet system statistics

Users

MethodEndpointDescription
GET/api/admin/usersList all users (paginated)
GET/api/admin/users/pendingList pending approvals
POST/api/admin/usersCreate new user
PATCH/api/admin/users/:idUpdate user details
DELETE/api/admin/users/:idDelete user
POST/api/admin/users/:id/reset-passwordReset user password
POST/api/admin/users/:id/approveApprove pending user
POST/api/admin/users/:id/rejectReject pending user

Settings

MethodEndpointDescription
GET/api/admin/settings/registrationGet registration settings
PATCH/api/admin/settings/registrationUpdate registration mode
GET/api/admin/settings/oidcGet OIDC settings
PATCH/api/admin/settings/oidcUpdate OIDC configuration

Next Steps

User Approval

Learn how to manage user registration and approval workflows

System Settings

Configure registration modes and authentication settings

Build docs developers (and LLMs) love

Get started for freeTalk to us