Skip to content
z4j docs

Create the first admin

On first boot the brain has no users. It prints a setup URL to stderr:

[z4j-brain] first-boot setup URL: https://z4j.example.com/setup?token=<one-time-token>

The token is a one-shot UUID valid for 30 minutes, stored hashed in Postgres. Visit the URL.

Setup form

Section titled “Setup form”

The setup page asks for:

  • Email - becomes the admin username.
  • Password - minimum 8 characters, at least 3 of 4 character classes (lowercase, uppercase, digits, symbols), not in the common-password denylist. See password policy.
  • Organization name - creates the first project.

On submit, the brain:

  1. Creates the user with role owner.
  2. Creates the first project.
  3. Invalidates the setup token (one-shot).
  4. Signs you in and redirects to /agents.

Bootstrap without the setup URL

Section titled “Bootstrap without the setup URL”

For IaC pipelines that cannot read a browser setup URL, set Z4J_BOOTSTRAP_ADMIN_EMAIL + Z4J_BOOTSTRAP_ADMIN_PASSWORD before first boot. The brain provisions the admin automatically and skips the setup URL. See env vars.

What to do next

Section titled “What to do next”
  1. Mint an agent token - Agents → Mint token.
  2. Install the agent - pick your framework.
  3. Invite your team - Settings → Memberships → Invite. SMTP must be configured (see SMTP presets).
  4. Configure SSO (optional) - not in v1.0; on the v1.x roadmap.

Losing admin access

Section titled “Losing admin access”

If you lose the last admin account, there is no in-app recovery (by design - that would be a back-door). You must:

  1. Connect to the Postgres database directly.
  2. Run UPDATE users SET password_hash = '...' WHERE email = '...' with a valid argon2id hash.
  3. Or set Z4J_BOOTSTRAP_ADMIN_* and restart; the brain will provision a fresh admin.

Production deployments should always have at least two admins.