Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.langsight.dev/llms.txt

Use this file to discover all available pages before exploring further.

First admin (bootstrap)

The first admin account is created automatically on first run from two environment variables: 
LANGSIGHT_ADMIN_EMAIL=[email protected]
LANGSIGHT_ADMIN_PASSWORD=your-secure-password   # min 12 characters required
These are read once. After the admin account exists, you can change the password in Settings → Profile and the env vars are no longer used.
LANGSIGHT_ADMIN_PASSWORD must be at least 12 characters. The API rejects bootstrap attempts with shorter passwords. If you used ./scripts/quickstart.sh, the password was randomly generated and is recorded in your .env file.
If these env vars are not set before the first run, no admin account is created. Set them, then restart the container to trigger bootstrap.

Inviting teammates

  1. Go to Settings → Users
  2. Click Invite User
  3. Enter the teammate’s email address and select a role
  4. Copy the invite link and send it to them
  5. They open the link, set a password (min 12 characters), and are added to the team
Invite links expire after 48 hours.

Roles

RoleWhat they can do
adminFull access to all projects, users, settings, and API keys
viewerRead-only across all projects they are a member of
Admins can see and manage all projects. Viewers can only see projects they have been added to.

Changing roles

Settings → Users → find the user → Edit → change role → Save. Via API (admin only): 
PATCH /api/users/{user_id}/role
Content-Type: application/json
X-API-Key: ls_admin_key

{"role": "viewer"}

Deactivating users

Settings → Users → find the user → Deactivate. Deactivated users cannot log in and their API keys stop working immediately. Their data is not deleted. Via API: 
DELETE /api/users/{user_id}
X-API-Key: ls_admin_key

API keys

Each user can create API keys in Settings → API Keys. Keys inherit the user’s role. API keys are passed as X-API-Key on all API requests. Service accounts (CI, agents) should have their own API key created by an admin under a dedicated service account user.

Changing your password

Users change their own password at Settings → Profile → Change Password. Via API (authenticated user, any role): 
POST /api/users/me/change-password
Content-Type: application/json
X-API-Key: ls_your_key

{
  "current_password": "your-current-password",
  "new_password": "your-new-password-min-12-chars"
}
Behaviour on success (HTTP 204):
  • The password is updated immediately.
  • All of the user’s API keys are revoked. Any SDK clients or CI pipelines using the old API key must generate a new key from Settings → API Keys and update their configuration.
Validation rules:
RuleDetail
current_passwordMust match the stored password — prevents CSRF and session-hijack escalation
new_password min length12 characters
new_password max length128 characters
Common passwords rejectedadmin, password, langsight, changeme, secret, 123456
Error responses:
StatusMeaning
401Authentication required, or current_password is incorrect
422new_password fails validation (too short, too weak)
503Storage backend does not support password updates
Rate limit: 5 requests per minute (per real client IP, proxy-aware).
After a successful password change, all API keys belonging to the user are revoked immediately. SDK clients and CI pipelines will start receiving 401 errors until new keys are issued. This is intentional — it prevents a compromised API key from surviving a password rotation.