First admin (bootstrap)
The first admin account is created automatically on first run from two environment variables:
LANGSIGHT_ADMIN_EMAIL=[email protected]
LANGSIGHT_ADMIN_PASSWORD=your-secure-password # min 12 characters required
LANGSIGHT_ADMIN_PASSWORD must be at least 12 characters. The API rejects bootstrap attempts with shorter passwords. If you used ./scripts/quickstart.sh, the password was randomly generated and is recorded in your .env file.
If these env vars are not set before the first run, no admin account is created. Set them, then restart the container to trigger bootstrap.
Inviting teammates
- Go to Settings → Users
- Click Invite User
- Enter the teammate’s email address and select a role
- Copy the invite link and send it to them
- They open the link, set a password (min 12 characters), and are added to the team
Invite links expire after 48 hours.
Roles
| Role | What they can do |
|---|
admin | Full access to all projects, users, settings, and API keys |
viewer | Read-only across all projects they are a member of |
Changing roles
Settings → Users → find the user → Edit → change role → Save.
Via API (admin only):
PATCH /api/users/{user_id}/role
Content-Type: application/json
X-API-Key: ls_admin_key
{"role": "viewer"}
Deactivating users
Settings → Users → find the user → Deactivate. Deactivated users cannot log in and their API keys stop working immediately. Their data is not deleted.
Via API:
DELETE /api/users/{user_id}
X-API-Key: ls_admin_key
API keys
Each user can create API keys in Settings → API Keys. Keys inherit the user’s role. API keys are passed as X-API-Key on all API requests.
Service accounts (CI, agents) should have their own API key created by an admin under a dedicated service account user.
Changing your password
Users change their own password at Settings → Profile → Change Password.
Via API (authenticated user, any role):
POST /api/users/me/change-password
Content-Type: application/json
X-API-Key: ls_your_key
{
"current_password": "your-current-password",
"new_password": "your-new-password-min-12-chars"
}
- The password is updated immediately.
- All of the user’s API keys are revoked. Any SDK clients or CI pipelines using the old API key must generate a new key from Settings → API Keys and update their configuration.
Validation rules:
| Rule | Detail |
|---|
current_password | Must match the stored password — prevents CSRF and session-hijack escalation |
new_password min length | 12 characters |
new_password max length | 128 characters |
| Common passwords rejected | admin, password, langsight, changeme, secret, 123456 |
| Status | Meaning |
|---|
401 | Authentication required, or current_password is incorrect |
422 | new_password fails validation (too short, too weak) |
503 | Storage backend does not support password updates |
After a successful password change, all API keys belonging to the user are revoked immediately. SDK clients and CI pipelines will start receiving 401 errors until new keys are issued. This is intentional — it prevents a compromised API key from surviving a password rotation.
