Skip to Content
chalvien 1.0 is released
DocumentationGuidesSecurityAuthenticationJWTJWT Bootstrap

Bootstrap First Admin

Express + Prisma + PostgreSQL

When the system is installed for the first time, there are no user accounts.

To initialize the system, a special endpoint allows creation of the first administrator.

This endpoint is disabled in production by default.

1. When Bootstrap Is Enabled

The endpoint works only when:

NODE_ENV != production

OR

ALLOW_BOOTSTRAP=true

Environment example:

NODE_ENV=development
ALLOW_BOOTSTRAP=true

2. Endpoint

POST /api/auth/bootstrap

Purpose:

Create the first admin account.

After at least one account exists, the endpoint should return:

409 Conflict
Admin already exists

3. Request Body

Example request:

{
  "email": "admin@example.com",
  "password": "StrongPassword123!",
  "name": "System Administrator"
}

4. Example Curl Request

curl -X POST http://localhost:3001/api/auth/bootstrap \
-H "Content-Type: application/json" \
-d '{
  "email": "admin@example.com",
  "password": "StrongPassword123!",
  "name": "System Administrator"
}'

5. Example Response

{
  "message": "Admin user created successfully"
}

The user is created with role:

ADMIN

6. Prisma Model Example

Typical User model:

model User {
  id        String   @id @default(uuid())
  email     String   @unique
  password  String
  name      String?
  role      Role     @default(USER)
  createdAt DateTime @default(now())
}
 
enum Role {
  ADMIN
  USER
}

7. Password Security

Passwords must be hashed before saving.

Recommended library:

bcrypt

Example:

const bcrypt = require("bcrypt");
const hash = await bcrypt.hash(password, 10);

Never store plain text passwords.

8. After Bootstrap

Once the first admin exists:

    1. Login normally
POST /api/auth/login
    1. Receive:
accessToken
refresh_token cookie
    1. Use the admin account to create additional users.

9. Production Safety

For production deployments:

Disable bootstrap by default.

ALLOW_BOOTSTRAP=false

Or remove the route entirely after initial setup.

Immediately after creating the admin:

  • Login with the admin account
  • Verify authentication works
  • Create additional users if needed
  • Disable bootstrap endpoint
  • Ensure .env secrets are secure

Last updated on March 07, 2026

JWT OverviewJWT Auth Endpoints