Skip to main content
Anchor supports a user approval workflow that allows admins to review and approve new registrations before granting access. This is useful for private instances or organizations that want to control who can access the system.

How User Approval Works

When registration mode is set to review, new user registrations enter a pending state:

User Statuses

Users can have the following statuses:
  • pending: Awaiting admin approval (cannot log in)
  • active: Approved and can access the system

Viewing Pending Users

Retrieve all users awaiting approval: 
GET /api/admin/users/pending
Response: 
[
  {
    "id": "user-123",
    "email": "user@example.com",
    "name": "John Doe",
    "isAdmin": false,
    "status": "pending",
    "authMethod": "local",
    "createdAt": "2026-03-01T10:30:00Z",
    "updatedAt": "2026-03-01T10:30:00Z"
  }
]
The authMethod field indicates whether the user registered via local credentials (local) or OpenID Connect (oidc).

Approving Users

1

Get Pending Users

Fetch the list of pending users to review their registration details.
GET /api/admin/users/pending
2

Approve User

Approve a user by their ID to grant them access.
POST /api/admin/users/:id/approve
The user’s status changes from pending to active (server/src/admin/admin.service.ts:280).
3

User Can Login

Once approved, the user can log in and access Anchor normally.

Approve Endpoint

POST /api/admin/users/{userId}/approve
Example Request: 
curl -X POST https://anchor.example.com/api/admin/users/user-123/approve \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"
Response: 
{
  "id": "user-123",
  "email": "user@example.com",
  "name": "John Doe",
  "isAdmin": false,
  "status": "active",
  "createdAt": "2026-03-01T10:30:00Z",
  "updatedAt": "2026-03-02T09:15:00Z"
}
Users can only be approved if their status is pending. Attempting to approve an already active user will result in an error.

Rejecting Users

1

Review Pending User

Identify the user you want to reject from the pending list.
2

Reject User

Reject the registration to permanently deny access.
POST /api/admin/users/:id/reject
3

User Deleted

The user account is permanently deleted from the system (server/src/admin/admin.service.ts:310).

Reject Endpoint

POST /api/admin/users/{userId}/reject
Example Request: 
curl -X POST https://anchor.example.com/api/admin/users/user-123/reject \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"
Response: 
{
  "message": "User rejected and deleted successfully"
}
Rejecting a user permanently deletes their account. This action cannot be undone. If they need access later, they must register again.

Managing All Users

View all users in the system (not just pending): 
GET /api/admin/users?skip=0&take=50
Query Parameters:
  • skip (optional): Number of records to skip for pagination (default: 0)
  • take (optional): Number of records to return (default: 50)
Response: 
{
  "users": [
    {
      "id": "user-123",
      "email": "user@example.com",
      "name": "John Doe",
      "isAdmin": false,
      "status": "active",
      "authMethod": "local",
      "createdAt": "2026-03-01T10:30:00Z",
      "updatedAt": "2026-03-02T09:15:00Z",
      "_count": {
        "notes": 42,
        "tags": 15
      }
    }
  ],
  "total": 100,
  "skip": 0,
  "take": 50
}
The response includes:
  • User details and status
  • Count of notes and tags for each user
  • Pagination metadata

Creating Users Manually

Admins can bypass the registration workflow and create users directly: 
POST /api/admin/users
Request Body: 
{
  "email": "newuser@example.com",
  "password": "securepassword123",
  "name": "Jane Smith"
}
Validation Rules:
  • Email must be valid and unique
  • Password must be at least 8 characters (server/src/admin/dto/create-user.dto.ts:15)
  • Name is required and max 100 characters
Response: 
{
  "id": "user-456",
  "email": "newuser@example.com",
  "name": "Jane Smith",
  "isAdmin": false,
  "createdAt": "2026-03-02T14:20:00Z",
  "updatedAt": "2026-03-02T14:20:00Z"
}
Manually created users are automatically set to active status and isAdmin: false. They can log in immediately.

Updating User Details

Modify user information or admin privileges: 
PATCH /api/admin/users/{userId}
Request Body: 
{
  "email": "updated@example.com",
  "name": "Updated Name",
  "isAdmin": true
}
All fields are optional. You can update:
  • Email address (must be unique)
  • Display name
  • Admin status
You cannot remove admin privileges from yourself or from the last admin user. This prevents system lockouts.

Resetting User Passwords

Generate a new password for a user: 
POST /api/admin/users/{userId}/reset-password
Option 1: Auto-generate Password 
{}
Response includes the generated password: 
{
  "newPassword": "aB3dE9fG2hJ5k",
  "message": "Password reset successfully. New password generated."
}
Option 2: Set Specific Password 
{
  "newPassword": "newsecurepassword123"
}
Response confirms the change: 
{
  "message": "Password reset successfully"
}
When auto-generating passwords, the system creates a secure 16-character random password (server/src/admin/admin.service.ts:242). Make sure to save this password and share it securely with the user.

Deleting Users

Permanently remove a user from the system: 
DELETE /api/admin/users/{userId}
Response: 
{
  "message": "User deleted successfully"
}

What Gets Deleted

When you delete a user:
  • The user account is permanently removed
  • All notes created by the user are cascade deleted
  • All tags created by the user are cascade deleted
User deletion is permanent and cannot be undone. All associated data (notes, tags) will be lost.

Deletion Restrictions

  • Cannot delete the last admin user (server/src/admin/admin.service.ts:219)
  • This ensures at least one admin always has access to the system

Best Practices

Regular Review

Check pending users regularly to avoid registration delays

Verify Identity

Verify user identity before approval, especially for private instances

Document Decisions

Keep records of why users were approved or rejected

Set Expectations

Inform users about approval process and expected wait times

Next Steps

System Settings

Configure registration modes and authentication settings

Admin Panel

Learn more about admin panel capabilities

Build docs developers (and LLMs) love

Get started for freeTalk to us