Admin Dashboard
EdgeBase ships with a built-in Admin Dashboard at /admin for local and production environments.
Access
- Local:
http://localhost:8787/admin - Self-hosted:
https://your-domain.com/admin - Edge deployment:
https://your-project.edgebase.fun/admin
First Login
- Start EdgeBase (
npm create edgebase@latest my-appornpx edgebase dev). Usenpx edgebase dev --openif you want the browser to open automatically. - Create the first admin account.
- Sign in and verify tables/users/storage views.
In local development started with npx edgebase dev, the login screen can still create the first admin directly in the browser. Other deployments, including non-release staging or self-hosted environments, bootstrap the first admin through the CLI so /admin never exposes a public setup form:
npx edgebase admin bootstrap --url https://your-project.edgebase.fun --service-key <service-key>
Admin password recovery is handled through the CLI, not by email.
- First admin bootstrap:
npx edgebase admin bootstrap --url https://your-project.edgebase.fun --service-key <service-key> - Local dev:
npx edgebase admin reset-password --local - Remote/self-hosted:
npx edgebase admin reset-password --url https://your-project.edgebase.fun --service-key <service-key>
Use --local when you need to update the admin account stored in your local D1 dev database. Use the remote form when you need to recover a deployed dashboard.
Features
For the current page-by-page route map, see Navigation Map.
Database Management
- Create Database Blocks: In dev mode, the dashboard can add new single-instance or per-tenant DB blocks directly to
edgebase.config.ts, including PostgreSQL blocks with optional Neon helper flows. See Schema Editor. - Records + Query: Table detail pages keep records and query workspaces together for the current database target. Per-tenant databases require an instance ID before browsing records or running queries, and can auto-suggest targets from
edgebase.config.tsviadatabases[namespace].admin.instances. - Create Row Drawer:
+ Add Rowopens a right-side create-record drawer instead of an inline placeholder row, which keeps wider schemas easier to work with. - D1 to Postgres Upgrade: In dev mode, single-instance D1 blocks can be upgraded from the table view to
provider: 'postgres', then connected to an existing Neon project or a newly created one. See Schema Editor. - Schema ERD: SVG-based entity-relationship diagram showing tables, fields, and foreign key relationships. Color-coded by namespace (shared, workspace, user). Pan and zoom support.
- Rules Test: Simulate access rule evaluation by selecting a user (or providing custom auth context) and testing read/insert/update/delete/access operations per table.
- CSV Import/Export: Export records to CSV or import from CSV with column mapping UI, type inference, and preview.
Auth & Users
- Users: Browse, search, filter, and manage user accounts. Change roles, disable accounts, invalidate sessions.
- Auth Settings: In local dev, auth settings write back to
edgebase.config.ts; outside dev they remain runtime read-only.
Storage
- Files: Browse R2 buckets, list files, view metadata, and delete objects.
- Create Buckets: In dev mode, the storage view can add logical buckets to
edgebase.config.tswithout leaving the dashboard.
Functions
- Functions UI: List all registered functions from config. Execute functions with custom HTTP method, JSON body, headers. View response status, body, and timing.
Analytics & Monitoring
- Analytics Overview: API traffic metrics with range controls, optional
Exclude admin traffic, category distribution, and top endpoints. - Overview Traffic Summary: The dashboard home auto-selects
1H,6H, or24Hbased on available history so the overview stays compact without a manual range picker. - Event Timeline: Chronological timeline of auth events (signup, signin, signout, password reset) and custom events with type/time/user filtering.
- Category Analytics: Dedicated dashboards for Auth, Database, Storage, and Functions metrics.
- Logs: Request logs with prefix, level, and path filtering. Live mode with 2-second auto-refresh. Expandable JSON detail view.
- Live Monitoring: Active database-live and room WebSocket connections plus channel subscriber counts.
System
- API Docs: Embedded docs surface at
/admin/docsfor fast lookup while you work in the dashboard. - Backup: Create and restore project backups from the dashboard.
- Settings: Environment overview showing dev/production mode, release status, database configurations, auth settings, storage buckets, and native resource bindings (KV, D1, Vectorize).
Dashboard Sessions
Starting with EdgeBase 0.3.6, the browser dashboard never persists admin
access or refresh tokens in localStorage or sessionStorage. The short-lived
15-minute admin access token exists only in page memory. The rotating refresh token is a
host-only HttpOnly cookie. HTTPS uses
__Host-edgebase-admin-refresh; Secure; Path=/; plain-HTTP local development
uses the unprefixed name with Path=/admin/api/auth. Same-origin deployments
use SameSite=Strict, and release mode rejects plain-HTTP cookie auth except on
an explicit CLI-owned local-development loopback request. Cloudflare and
self-hosted release runtimes never receive that exception.
Secure deployments expire but never read or migrate the predecessor
__Secure- and unprefixed path-scoped cookies. Users with one of those older
cookies must sign in again; this avoids silently promoting a less strictly
scoped credential.
The dashboard explicitly negotiates this transport with
X-EdgeBase-Auth-Transport: cookie and credentialed requests. The server does
not treat the ambient cookie alone as authorization. Login, refresh, setup, and
logout also require a verifiable browser Origin, and logout revokes the
backing _admin_sessions row before expiring the cookie.
New access and refresh JWTs carry the same server-side session ID and distinct nonces. Protected admin routes verify that session row on every admin access, so logout and password reset invalidate the in-memory access token immediately instead of waiting for its expiry. Pre-0.3.6 access JWTs without a session ID remain accepted only for their original lifetime during a rolling upgrade.
If a pre-0.3.6 dashboard session is found during upgrade, the old browser
storage entry is removed immediately and its refresh token may be exchanged
once for the HttpOnly cookie. New _admin_sessions rows store only a prefixed
SHA-256 token digest. A valid legacy plaintext row is rewritten to the digest
during its next refresh, so existing sessions migrate without a forced global
sign-out.
Refresh and logout operations are serialized across tabs with the browser Web Locks API, with a token-free localStorage lease as the compatibility fallback. Each cookie-mutating session request has a bounded timeout and is aborted on a same-tab logout, so an unresponsive login, setup, or refresh cannot retain the lock indefinitely. Refresh rotation itself is an atomic compare-and-swap on the current session credential; concurrent refresh and logout requests cannot resurrect a revoked admin session. The dashboard also shares only a non-secret admin-ID marker across tabs. If one tab changes the shared cookie to a different admin, other tabs immediately discard their old in-memory access state and verify the new principal with the server; bearer tokens are never copied through browser storage. If logout cannot reach the server, the dashboard persists only a non-secret pending-logout marker. Reload then stays signed out and retries revocation before any cookie restore or new login, so an offline logout cannot silently reopen the old admin session.
Non-browser and generated SDK clients keep the legacy body transport for compatibility: login and refresh continue to return a refresh token unless the cookie transport header was explicitly supplied.
Separately hosted dashboards
Prefer serving /admin and the Worker from the same origin. If the dashboard
must use a different site, all of the following are required:
- HTTPS for both dashboard and API (or an explicitly trusted TLS proxy)
- the dashboard's exact origin in
cors.origin cors.credentials: true- browser requests with credentials and the custom transport header
Cross-site admin cookies use SameSite=None; Secure. Wildcard CORS origins,
missing origins, disabled CORS credentials, and cross-site plain HTTP are
rejected. Browser third-party-cookie policies can still block this topology,
so a same-origin dashboard remains the reliable deployment model.
Development mode does not trust every localhost port. If the standalone Vite
dashboard is run on a different port from the Worker, add that exact
http://localhost:<port> origin to cors.origin; an arbitrary loopback page
cannot use the ambient admin cookie.
Security Notes
- Do not expose
SERVICE_KEYin browser code. - Restrict admin access behind HTTPS and IP/network controls when self-hosting.
- Rotate
JWT_ADMIN_SECRETandSERVICE_KEYperiodically. - Confirm browser storage contains no
edgebase_admin_authtoken payload after upgrading. - For reverse proxies, keep WebSocket upgrade headers enabled.
Operational Checklist
- Admin account creation tested
-
/admin/api/*endpoints accessible with admin auth - Browser access forced to HTTPS in production
- Backup schedule in place for self-hosted data