/admin/login. It uses Supabase Auth with
email OTP (magic link) — there are no passwords.
Signing in
- Enter your staff email address.
- Tap Send magic link.
- Check your inbox for an email from Supabase Auth.
- Click the link in the email — it redirects you to
/adminand signs you in.
/admin/login
and request a new one.
Access control
Only email addresses recognised by Supabase Auth can receive a working magic link. Submitting an unrecognised email will send an email that contains no valid session.Owner vs staff roles
Access levels are controlled per outlet via the platform auth tables (profiles +
user_module_roles):
| Role | Permissions |
|---|---|
| Owner (manager) | Full access. Can create, edit, activate, deactivate, and delete slots and zones. Can manage day controls (block dates, sold-out slots, capacities). Can invite new staff. |
| Staff | Operational access only. Can confirm/reject bookings, mark no-shows, block dates, mark slots sold out, and adjust capacities. Cannot modify slots or zones. |
Auto-claim for owners
When an owner signs in for the first time, the system automatically creates their profile and manager role if their email is listed in the outlet’sowner_emails:
Inviting staff
Owners can invite new team members from Settings → Team:- Enter the staff member’s email
- Select role: Staff or Manager
- Tap Invite
Manual setup (rarely needed)
If you need to add a user directly without the invite flow:Session behaviour
Once signed in, your session is kept alive automatically by Supabase Auth. You are redirected to/admin/login if your session expires or if you sign out from the
dashboard or settings page.
The dashboard and settings pages redirect to /admin/login immediately if no active
session is detected on load.