Skip to main content
Anchor provides flexible user management with configurable registration modes and user approval workflows.

Registration Modes

Control how users can register for your Anchor instance with three registration modes:
Open RegistrationUsers can register freely and immediately access the system.Best for:
  • Public-facing instances
  • Small teams where all members are trusted
  • Development and testing environments
Behavior:
  • Users register via /api/auth/register or OIDC
  • Account status is set to active
  • Access and refresh tokens are issued immediately
  • User can log in and use the system right away
This is the default mode when no configuration is specified.

Configuration Methods

Lock the registration mode using the USER_SIGNUP environment variable:
.env
# Set to 'disabled', 'enabled', or 'review'
USER_SIGNUP=review
Characteristics:
  • Takes precedence over database settings
  • Cannot be changed via admin panel when set
  • Useful for enforcing policies across deployments
  • Removed variable allows admin panel control
If USER_SIGNUP is set, the admin panel will show the mode as locked and read-only.

Checking Registration Mode

Get the current registration mode (public endpoint):
Get Registration Mode
curl http://localhost:3000/api/auth/registration-mode
Response: 
{
  "mode": "review"
}

User Statuses

Status: activeDescription: User has full access to the system.How users become active:
  • Registration with mode enabled
  • Administrator approval (from pending)
  • OIDC login with mode enabled
  • First user registration (auto-admin)
Capabilities:
  • Can log in with credentials or OIDC
  • Can create and access notes
  • Can generate API tokens
  • Can update profile

Approving Users

Administrators can approve pending users through the admin panel:
1

View Pending Users

Navigate to Admin → Users and filter by status pending
2

Review User Details

Check the user’s email, name, and registration date
3

Approve or Reject

  • Approve: Change status to active
  • Reject: Delete the user account
4

Notify User

(Optional) Inform the user they can now log in
Currently, users are not automatically notified when approved. Consider implementing email notifications for better user experience.

Special Cases

First User (Bootstrap Admin)

The first user to register becomes an administrator automatically, regardless of registration mode:
First User Logic
const adminCount = await prisma.user.count({
  where: { isAdmin: true }
});

// First user (adminCount === 0) becomes admin with active status
const isAdmin = adminCount === 0;
const status = isAdmin ? 'active' : determineStatus(registrationMode);
Ensure you register the first user account before opening your instance to others. The first user will have full administrative privileges.

OIDC Users with Registration Disabled

When USER_SIGNUP=disabled, OIDC authentication still creates new users on first login:
  • Behavior matches the disabled mode for local registration
  • OIDC users are auto-created with active status on first login
  • This allows SSO users while blocking local registration
To prevent any new users:
  • Disable OIDC
  • Configure your identity provider to restrict access
  • Use firewall rules to limit access

API Reference

Get Registration Settings (Admin)

Get Settings
curl http://localhost:3000/api/settings/registration \
  -H "Authorization: Bearer <admin_token>"
Response: 
{
  "mode": "review",
  "isLocked": false,
  "source": "database"
}
FieldDescription
modeCurrent registration mode
isLockedWhether the mode is locked by environment variable
sourceConfiguration source: env, database, or default

Update Registration Mode (Admin)

Update Mode
curl -X POST http://localhost:3000/api/settings/registration \
  -H "Authorization: Bearer <admin_token>" \
  -H "Content-Type: application/json" \
  -d '{"mode": "review"}'
This endpoint returns 403 Forbidden if the mode is locked by the USER_SIGNUP environment variable.

User List Management

Administrators can view and manage all users:
List Users (Admin)
curl http://localhost:3000/api/admin/users \
  -H "Authorization: Bearer <admin_token>"
Response includes: 
[
  {
    "id": "uuid",
    "email": "user@example.com",
    "name": "John Doe",
    "status": "pending",
    "isAdmin": false,
    "createdAt": "2024-01-15T10:30:00Z",
    "updatedAt": "2024-01-15T10:30:00Z"
  }
]

Best Practices

  • Use review or disabled mode for production
  • Set USER_SIGNUP environment variable to lock the policy
  • Register the first admin user before opening to users
  • Document your approval process for pending users
  • Consider using review mode even with OIDC
  • Configure identity provider to restrict access
  • Use DISABLE_INTERNAL_AUTH=true for SSO-only access
  • Test account linking with existing users
  • Check pending users regularly
  • Verify email domains match your organization
  • Document approval criteria for consistency
  • Consider implementing approval notifications
  • Lock registration mode with environment variable in production
  • Monitor user creation patterns
  • Use OIDC for better identity verification
  • Implement rate limiting on registration endpoints

Implementation Reference

User management implementation can be found in:
  • Settings service: server/src/settings/settings.service.ts
  • Auth service: server/src/auth/auth.service.ts
  • OIDC user service: server/src/auth/oidc/oidc-user.service.ts

Next Steps

Local Authentication

Configure username and password authentication

OIDC Setup

Integrate with identity providers

API Reference

Explore authentication API endpoints

Build docs developers (and LLMs) love

Get started for freeTalk to us