Skip to content

User Management

Hub provides centralised user management for the ai.doo suite. PIKA and VERA delegate authentication to Hub, so you manage all accounts in one place.

Roles

Role Permissions
admin Full access — create/delete users, manage models, activate licenses, view audit log
user Access PIKA and VERA with their own credentials; no Hub admin panel access

Creating Users

  1. Log in to Hub as an admin.
  2. Navigate to the Users tab.
  3. Click Create User.
  4. Fill in username, password, and role.
  5. Click Save.

The new user can immediately log in to PIKA and VERA.

Tip

You can also create users via the API:

curl -X POST http://localhost:2000/api/users \
  -H "Authorization: Bearer <admin-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "username": "alice",
    "password": "S3cureP@ss1",
    "role": "user"
  }'

Password Requirements

All passwords must meet these criteria:

Rule Requirement
Minimum length 8 characters
Uppercase letter At least one (A-Z)
Lowercase letter At least one (a-z)
Digit At least one (0-9)

Passwords are hashed with bcrypt before storage. Hub never stores or logs plaintext passwords.

Account Lockout

Hub enforces rate limiting on failed login attempts to prevent brute-force attacks.

Parameter Value
Failure threshold 5 consecutive failed attempts
Lockout duration 15 minutes

Note

The lockout counter resets after a successful login. An admin can manually unlock an account via the API: POST /api/users/{id}/unlock.

Changing a User's Role

Admins can change any user's role between user and admin directly from the Users tab — no page reload required.

  1. Log in to Hub as an admin.
  2. Navigate to the Users tab.
  3. In the Role column, select the new role from the dropdown.

The change takes effect immediately. An audit log entry is created.

Demoting the last admin

Hub prevents you from removing admin status from the only remaining admin account.

Changing Your Password

Any authenticated user can change their own password without admin involvement.

  1. Log in to Hub.
  2. Click the lock icon (🔒) in the top-right header.
  3. Enter your current password and choose a new one (minimum 8 characters, mixed case + digit).
  4. Click Change password.

Admin password reset

Admins can reset any user's password via PUT /api/users/{id}/password. This does not require knowledge of the current password.

curl -X PUT http://localhost:2000/api/users/{id}/password \
  -H "Content-Type: application/json" \
  -d '{"password": "NewSecure1!"}' \
  -b "hub_session=YOUR_SESSION_COOKIE"

Enabling / Disabling Users

To temporarily revoke access without deleting the account:

  1. Go to the Users tab.
  2. Click on the user.
  3. Toggle the Enabled switch to off.
  4. Click Save.

A disabled user cannot log in to Hub, PIKA, or VERA. Their data (documents, OCR jobs) is preserved.

Deleting Users

  1. Go to the Users tab.
  2. Click on the user.
  3. Click Delete User and confirm.

Danger

Deleting a user is permanent. Their account is removed from Hub and they lose access to all services. Application data associated with the user (PIKA collections, VERA jobs) is not automatically deleted.

Auth Delegation — PIKA and VERA

PIKA and VERA do not maintain their own user databases. Instead, they validate credentials against Hub on every login:

User → PIKA/VERA login form
       → POST /api/auth/validate (Hub)
       ← 200 OK + user claims
       → Session created in PIKA/VERA

Both apps require two environment variables to connect to Hub:

# pika/.env or vera/.env
HUB_BASE_URL=http://hub:8000
HUB_AUTH_API_KEY=<shared-api-key>

Info

The HUB_AUTH_API_KEY is a service-to-service key that authorises PIKA and VERA to call Hub's auth API. It is not a user credential. Set the same key in Hub's .env and in each app's .env.