> ## Documentation Index
> Fetch the complete documentation index at: https://docs.maska.co.in/llms.txt
> Use this file to discover all available pages before exploring further.

# Admin Login

> Passwordless magic-link sign-in for restaurant staff.

The admin login page is at `/admin/login`. It uses Supabase Auth with
**email OTP (magic link)** — there are no passwords.

## Signing in

1. Enter your staff email address.
2. Tap **Send magic link**.
3. Check your inbox for an email from Supabase Auth.
4. Click the link in the email — it redirects you to `/admin` and signs you in.

Magic links expire after **1 hour**. If the link has expired, return to `/admin/login`
and request a new one.

## Access control

Only email addresses recognised by Supabase Auth can receive a working magic link.
Submitting an unrecognised email will send an email that contains no valid session.

### Owner vs staff roles

Access levels are controlled per outlet via the platform auth tables (`profiles` +
`user_module_roles`):

| Role                | Permissions                                                                                                                                                               |
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Owner** (manager) | Full access. Can create, edit, activate, deactivate, and delete slots and zones. Can manage day controls (block dates, sold-out slots, capacities). Can invite new staff. |
| **Staff**           | Operational access only. Can confirm/reject bookings, mark no-shows, block dates, mark slots sold out, and adjust capacities. Cannot modify slots or zones.               |

### Auto-claim for owners

When an owner signs in for the first time, the system automatically creates their
profile and manager role if their email is listed in the outlet's `owner_emails`:

```sql theme={null}
-- Pre-seed owner emails on the outlet
UPDATE res_outlets
SET owner_emails = ARRAY[
  'owner1@katha.coffee',
  'owner2@katha.coffee'
]
WHERE slug = 'katha-crafthouse';
```

No manual SQL required — the first login auto-claims the owner.

### Inviting staff

Owners can invite new team members from **Settings → Team**:

1. Enter the staff member's email
2. Select role: **Staff** or **Manager**
3. Tap **Invite**

The invited user receives a magic link email. On first sign-in, their profile and
module role are created automatically.

**API endpoint (for integrations):**

```bash theme={null}
POST /api/admin/invite
Authorization: Bearer <token>
Content-Type: application/json

{
  "email": "new@katha.coffee",
  "role": "staff"  // or "manager"
}
```

## Manual setup (rarely needed)

If you need to add a user directly without the invite flow:

```sql theme={null}
-- 1. Create profile (id must match auth.users.id)
INSERT INTO profiles (id, tenant_id, email, role)
VALUES (
  'auth-user-uuid-from-supabase',
  (SELECT id FROM tenants WHERE slug = 'katha'),
  'staff@kathacrafthouse.com',
  'outlet_staff'
);

-- 2. Grant reservations role for the outlet
INSERT INTO user_module_roles (profile_id, outlet_id, module, role)
VALUES (
  'auth-user-uuid-from-supabase',
  (SELECT id FROM res_outlets WHERE slug = 'katha-crafthouse'),
  'reservations',
  'staff'  -- or 'manager'
);
```

## Session behaviour

Once signed in, your session is kept alive automatically by Supabase Auth. You are
redirected to `/admin/login` if your session expires or if you sign out from the
dashboard or settings page.

The dashboard and settings pages redirect to `/admin/login` immediately if no active
session is detected on load.
