Skip to main content

Users

Human identities within the SOAT instance, authenticated via username and password.

Overview

Users are global to the SOAT instance — not scoped to any project. The first user is created via the bootstrap endpoint. After that, only authenticated admin users may create additional users. See it end to end in Permissions in Practice — Step 2 (Create regular users).

Users can have Policies attached to them, which control what resources and operations they are permitted to access. See IAM for the full authorization model.

See the Permissions Reference for the IAM action strings for this module.

Data Model

FieldTypeDescription
idstringPublic identifier prefixed with user_
usernamestringUnique login name
rolestring"admin" or "user" — see Roles
created_atstringISO 8601 creation timestamp
updated_atstringISO 8601 last-updated timestamp

Sensitive fields (passwordHash, internal numeric ID) are never exposed in responses.

Key Concepts

Roles

RoleDescription
adminFull access to all resources and operations. Bypasses policy evaluation.
userAccess determined by the policies attached to the account.

Bootstrap

The POST /api/v1/users/bootstrap endpoint creates the first admin user. It is only available when the user table is empty and returns 409 Conflict if any user already exists. This endpoint does not require authentication.

You can also bootstrap an admin automatically on server startup by setting two environment variables:

SOAT_ADMIN_USERNAME=admin
SOAT_ADMIN_PASSWORD=supersecret

When both variables are present and no users exist, the server creates the admin user before accepting requests. If users already exist, the variables are ignored.

Authentication

Users authenticate via POST /api/v1/users/login with username and password. On success, the server returns a signed JWT containing the user's public ID and role. The token is passed as Authorization: Bearer <token> on subsequent requests. See IAM — Authentication, or Chat with an LLM — Step 1 (Log in as admin) for a worked login example.

Policy Attachment

Policies are attached to a user through the user-policies endpoint, which replaces the user's full policy list. User management operations (create, delete) require the admin role and are not governed by the policy engine.

Examples

Bootstrap first user

soat bootstrap-user --username admin --password supersecret

Login

soat login-user --username admin --password supersecret

Create an additional user

soat create-user --username alice --password alicepass