First login¶
Register the first admin¶
There is no default user (admin@example.com is not created). An empty database keeps self-registration open for the first account only.
- Open the app URL from Install.
- On first start, choose Create account / Register with a strong email + password.
- You are the first user → role admin.
- Self-registration then closes automatically.
Open registration locks after the first account
After the first admin exists, the login screen no longer offers self-registration. New people ask an admin for an invite (Users → Create user). Direct /auth/register explains how to request access instead of a hard config error. Set ALLOW_OPEN_REGISTRATION=true only if you intentionally want public sign-up.
Password policy¶
Enforced on register, password change, and admin-created users:
- At least 10 characters
- At least one uppercase, one lowercase, one digit
- At most 72 Latin letters/digits (emoji/symbols count as more than one character; enforcement is UTF-8 bytes)
Invited users¶
Admin-created accounts must set a personal password on first login (/auth/force-password), then optional force-2FA if enabled. Temporary passwords appear once on create — see Users.
If you set ALLOW_OPEN_REGISTRATION=true, later self-registered accounts become operator (not admin). Prefer leaving open registration off and creating viewers/operators under Users.
After login checklist¶
| Step | Where |
|---|---|
| Set display name / avatar | Account (full-width ops-hero + profile / security cards) |
| Optional 2FA | Account → TOTP — or force 2FA for all |
| Push notifications | Account → Push (after HTTPS / PWA) |
| Timezone | Settings → General |
| Create operators/viewers | Users (admin) — after first admin, no public self-register |
| Add first server | Add a server |
Admin quick checklist¶
- Create operators/viewers via Users → Create user (modal + one-time credentials); share invite passwords carefully.
- Optionally enable Force 2FA under Settings → Security policy.
- Per server: Edit → Features → then Schedules for checks → only then consider apply schedules. Remove a host later via Edit → Remove.
- Prefer “only if updates” on apply schedules; start with a quiet weekly window.
- For mobile push: trusted TLS + PWA & Web Push; open in-app alerts from the bell.
- DR: Settings → PiHerder backup; keep
PIHERDER_MASTER_KEYoffline safe.