Quickback Docs

Admin Panel

User management and system administration in Account UI.

The admin panel provides a user management dashboard for administrators. It's part of the Account UI SPA — when enabled, the /admin route is included in the build.

Enabling Admin

Set auth.admin to true in your account config:

quickback/quickback.config.ts
account: {
  auth: {
    admin: true,
  },
},

This does two things:

  1. Includes admin route files in the Account SPA build (compile-time gating)
  2. Ensures the Better Auth admin plugin is enabled on the backend

When auth.admin is false (the default), admin routes are excluded from the SPA bundle entirely — they don't exist in production.

What It Can Do

  • View all users — Paginated list with search
  • Create users — Manually create accounts with email/password
  • Ban/unban users — Suspend or reactivate user accounts
  • Reset passwords — Generate password reset for any user
  • View sessions — See active sessions for any user

Access Control

The admin panel is restricted to users with role: "admin" on their Better Auth user record. Non-admin users are redirected away from /admin.

To grant admin access to a user, use the Better Auth admin API:

curl -X POST https://api.example.com/admin/v1/set-role \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "userId": "user_123", "role": "admin" }'

Custom Admin Domain

Give the admin panel its own subdomain with adminDomain:

quickback/quickback.config.ts
account: {
  domain: "auth.example.com",
  adminDomain: "admin.example.com",
  auth: { password: true, admin: true },
},
trustedOrigins: [
  "https://auth.example.com",
  "https://admin.example.com",
],

The admin domain serves the same Account SPA at root (/). The SPA's client-side router handles showing the admin page at admin.example.com/admin. Authentication cookies are shared across subdomains automatically via cross-subdomain cookie configuration.

CMS Access Control

When both CMS and Account UI are enabled, the admin panel's profile page shows a "Go to CMS" button. You can restrict this to admin users only:

cms: { domain: "cms.example.com", access: "admin" },

With access: "admin", non-admin users can't access the CMS at any layer: the link is hidden in Account UI, the SPA shell returns 403 before serving index.html, /api/v1/schema returns 403, and the custom_view CRUD is locked to admins. See CMS Connecting for the full enforcement model.

Passkeys

WebAuthn passkey enrollment and management in Account UI

Auth Hooks

Run project code on user signup, login, and session events via the quickback/hooks/ folder

On this page

Enabling AdminWhat It Can DoAccess ControlCustom Admin DomainCMS Access ControlRelated