Operator playbook

Bootstrap the Authio dashboard

One-time steps to grant the first operator access to your project's dashboard.

The Authio dashboard is itself an Authio relying-party. Anyone trying to drive it must:

  1. Have a real Authio user (passkey, magic link, or OAuth) on the same project.
  2. Be listed in dashboard_operators for that project.

New deployments need someone to seed the very first operator. The steps below take ~30 seconds and only need to run once per project. Future operators can be added from the dashboard itself once the first one is in.

1. Register a passkey

Open the hosted-UI for your project, click Create your passkey, enter the email you want associated with this operator, and complete the WebAuthn ceremony.

https://authiohosted-ui-production.up.railway.app/?display_name=Authio

On success the hosted-UI shows “Passkey created. You’re signed in.” Note the email you used — you’ll need it in step 3.

2. Find your project_id

Use any existing sk_live_ key for the project to fetch it from the management-API:

curl https://authiomanagement-api-production.up.railway.app/v1/projects/me \
  -H "Authorization: Bearer sk_live_..."

3. POST the bootstrap endpoint

Call the env-gated bootstrap route with the same AUTHIO_BOOTSTRAP_TOKEN you used to mint the project itself. This adds your user to dashboard_operators.

curl -X POST https://authiomanagement-api-production.up.railway.app/v1/dashboard/operators/bootstrap \
  -H "Content-Type: application/json" \
  -H "x-authio-bootstrap-token: $AUTHIO_BOOTSTRAP_TOKEN" \
  -d '{
    "email": "ops@example.com",
    "project_id": "proj_..."
  }'
The bootstrap endpoint refuses to act if the email isn’t already a registered Authio user on that project. Step 1 must succeed before step 3.

4. Sign in to the dashboard

Visit https://authiodashboard-production.up.railway.app. The dashboard middleware will see no session cookie and redirect you through the hosted-UI sign-in flow. Authenticate with the passkey you just registered. You’ll land back on the dashboard home.

5. Add the next operators from the UI

From here on, you (or any operator) can grant access to additional users via POST /v1/dashboard/operators on the management-API, or by calling authio.addDashboardOperator(userId, role) from the dashboard codebase. The bootstrap endpoint stays available but is not the recommended path once you have at least one operator.

Architecture notes

  • The dashboard runs on its own subdomain (authiodashboard-production.up.railway.app). Auth-core runs on a different subdomain (authioauth-core-production.up.railway.app) so its authio_session cookie is not directly readable. Instead, the dashboard is its own backend-for-frontend: after the hosted-UI signs you in, auth-core redirects back to /api/auth/callback?access_token=… and the dashboard mints its own scoped cookie (authio_dashboard_session).
  • The set of redirect destinations auth-core will append a token to is gated by AUTHIO_DASHBOARD_REDIRECT_HOSTS. An attacker cannot point ?redirect_uri= at a host they control and harvest sessions.
  • Tokens never appear in the URL bar after the callback hop — the dashboard immediately 302s away to a clean URL with the JWT only in the HttpOnly cookie.