Skip to main content

Documentation Index

Fetch the complete documentation index at: https://archie.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

The Users tab in the Archie Auth panel is where you manage registered users in the current environment. Block accounts under investigation, force a logout after a security incident, resend verification when an email got lost, or just see who’s signed up. Every action available in the UI has a matching GraphQL admin mutation for programmatic use.

The users table

ColumnWhat it shows
EmailThe user’s registered address.
NameFirst + last name.
StatusOne of Active, Unverified, Locked, or Disabled (see below).
Last LoginTimestamp of the most recent successful login.
ActionsPer-row admin controls.
Filter by email with the search box. Results paginate at 20 per page.

User statuses

StatusWhat it means
ActiveVerified, not blocked. Can log in.
UnverifiedSigned up but hasn’t confirmed email. Login blocked until verified.
LockedHit the failed-login threshold. Auto-unlocks after the configured lock duration.
DisabledManually blocked by an admin. Stays disabled until unblocked.

Admin actions

Block / unblock

ActionEffect
BlockSets disabled = true on the credential record. Active sessions aren’t terminated; new logins are refused.
UnblockClears disabled, restoring login access.
Use Block for investigations and account suspensions. To kick a blocked user out of an active session immediately, Force Logout them after blocking.

Resend verification

If a user didn’t receive (or lost) the verification code, resend it. A new 6-digit code is generated with a fresh 1-hour expiry. The previous code is invalidated.

Force logout

Invalidates the user’s refresh token. Their access token stays valid until natural expiry (15 minutes by default), but they can’t refresh — so they’ll be forced back to the login screen on the next refresh attempt. For an instant kick-out, combine Force Logout with Block. The token blacklist on every request will reject the access token even before it expires.

Force logout all

Revokes every user’s refresh token in the current environment. Use after a security incident — a leaked signing key, a database breach, anything that requires forcing every user to re-authenticate. The blast radius is intentionally environment-scoped: forcing logout in master doesn’t touch staging.

Per-environment scope

User management is scoped to the current environment. A user registered in staging is a different record from a user with the same email registered in master. Switching the environment selector changes the entire users table. This separation is the point — it means dev and staging traffic doesn’t pollute production user records, and a developer logging in to staging doesn’t burn rate-limit budget in master.

GraphQL admin API

Every dashboard action has a corresponding GraphQL mutation. Useful for scripted user-management — bulk-revoke after an incident, sync user state from another system, or build your own admin UI.
Mutation / QueryPurpose
adminListCredentialsList every registered user with status, email, and last-login.
adminToggleUserStatusBlock or unblock a user.
adminResendVerificationSend a fresh verification code to a user.
adminForceLogoutForce-logout a specific user.
adminForceLogoutAllForce-logout every user in the current environment.
mutation BlockUser {
  adminToggleUserStatus(input: {
    userId: "a1b2c3d4-e5f6-..."
    disabled: true
  }) {
    success
    message
  }
}
Full request/response shapes are in the Archie Auth GraphQL API reference.

Permissions

Admin operations require admin-level authentication — typically a user with the admin role or an API key attached to that role. Define the role in Role-Based Access and grant it the system permissions needed for the admin mutations.

FAQ

Block prevents future logins. Force Logout terminates the current session by invalidating the refresh token. Combine them for an instant kick-out: Block stops new logins; Force Logout cuts the live session.
Block then Unblock the user. That clears the lockout state. Alternatively, run a successful password reset — the recovery flow clears the lockout on success.
No — API keys are managed separately under Backend → Settings → API Keys and aren’t touched by user-session operations. Rotate compromised API keys there.
Use the Data Model’s users table or _auth_credentials to delete the row. Hard deletion removes the credential entirely; disabling preserves history. Most teams disable rather than delete to keep an audit trail.
Use adminListCredentials over the GraphQL API, or query the _auth_credentials table directly via the Data Viewer or SQL Playground.