A Rough Idea Access Platform icon circleA Rough Idea Access Platform
Operator Home

Auth & Admin Console

What this page is. A diagnostic and admin surface for the access platform itself — the part that handles sign-in and decides who can use which demo.

Who it is for. Internal aroughidea staff with a row in the platform_admins table. We call those people operators on this site.

Where end users go. End users never come here. They go directly to a demo URL such as demo-reference.aroughidea.com/app and are redirected to sign in if they need to.

operator only

Mental model. Access platform decides who can use what. Demos decide what to do. OpenRouter charges for it.

Where you are in the system

Environment

  • NODE_ENVproduction
  • OPENROUTER_MANAGEMENT_API_KEYnot set — spend summary will return 503
  • AUTH_HOSTauth.aroughidea.com
  • SMTPSupabase default (custom SMTP not configured)
  • Admin authtrusted x-platform-user-id header (scaffold)

Guided steps

Run these in order. Later steps depend on earlier ones; each step shows what it requires before you click.

  1. 1

    Confirm the service is up

    not yet probed

    What this checks. A simple /health response that proves the app is running. Prerequisites. None.

    Open /health in new tab
  2. 2

    Test the sign-in handoff

    manual

    What this checks. The redirect chain from this app to auth.aroughidea.com and back to a demo. Prerequisites. An email address that already has a Supabase user (existing users only — sign-up is intentionally disabled).

    Test sign-in (open auth.aroughidea.com)
    Advanced — choose a custom return URL or domain

    Useful if the default custom domain is not provisioned in this environment, or if you want to land on a different demo after sign-in.

    Examples: https://demo-reference.aroughidea.com/app, https://access-platform-demo-reference.vercel.app/app.

  3. 3

    Open the Admin Console

    manual

    What this opens. The page that shows OpenRouter spend, recent usage events, and user/invite management.

    Prerequisites.

    • You must have a row in platform_admins for your Supabase user. Without it, every /admin/* call returns 403.
    • OPENROUTER_MANAGEMENT_API_KEY must be set in this environment to load the spend summary. Currently: not set — the OpenRouter Summary tab will return 503.
    Copyable SQL — add yourself to platform_admins 
    INSERT INTO platform_admins (user_id)
VALUES ('<your-supabase-user-uuid>')
ON CONFLICT (user_id) DO NOTHING;

    Find your UUID in Supabase Dashboard → Authentication → Users.

    Open Admin Console

Reference

Glossary — terms used on this page
  • OperatorInternal aroughidea staff with a row in the platform_admins table.
  • DemoA thin server-side product app (e.g. demo-reference) that delegates auth and access to this platform via @aroughidea/access.
  • OrganizationThe unit of access. Users belong to one or more orgs and inherit the union of their orgs' grants.
  • GrantAn org-level permission to use a specific demo or feature.
  • Magic linkAn email sign-in link delivered by the auth service in lieu of a password.
  • Auth handoffThe redirect chain from a demo to auth.aroughidea.com and back, after sign-in.
  • Usage eventA row in usage_events written by a demo after a successful AI action.
Endpoints exposed by this app
GET /healthJSON heartbeat. No auth.
GET /auth/loginRedirects to auth.aroughidea.com/login?next=....
GET /loginRenders the magic-link form (served as auth.aroughidea.com/login in production).
POST /loginSends the magic link via Supabase OTP.
GET /auth/callbackExchanges the PKCE code for a session and redirects to the original demo URL.
GET /adminAdmin console UI. Protected actions live under /admin/*.
GET /admin/openrouter/summaryReturns the OpenRouter management summary. Requires admin and the management API key.
GET /admin/usage-eventsReturns the most recent usage events from Supabase.
POST /admin/users/inviteCreates or attaches a user, assigns org membership, optionally grants admin.
Where to go next