What this console manages
The operator console is the business + access-provisioning layer: create tenants, set the account type, provision their login-holders, oversee their end-user seats, revoke access and read the audit trail. It does not run a tenant's operations — connection keys, per-user tokens, the seat's operational label + TRAIN⇄SERVE editing and the engine brain live in the tenant console, owned by the customer.
- Tenants — the accounts you manage; open one to drill in.
- New Tenant — create a tenant (just a name) + provision its first login-holder.
- Account type — a per-seat capability tier (shown as a badge in the Tenants list, set under Plan & Capacity); only Agent seats expose the TRAIN⇄SERVE freeze.
- Accounts — the tenant's login-holders: the username/password dashboard logins you provision for the customer's admins.
- Users — the tenant's end-user seats: the OpenWebUI users that become seats. Oversight + deprovision here; the operational label + TRAIN⇄SERVE editing stay in the tenant console.
- Your kill-switch is the account Lock (Danger Zone) — not per-key revocation.
| Name | Account ID | Type | Status | Actions |
|---|
| Name | Account ID | Slug | Seats | Actions |
|---|
Create a tenant ?
- Create the tenantJust a name (the URL slug is auto-derived; edit it only if it collides).
- Provision a dashboard loginA username + password for the customer's admin so they can sign into the tenant console.
- Hand offIn their tenant console they generate a connection key, wire it into OpenWebUI once, and their users appear as seats.
Defaults: Enterprise, type standard, 5 seats — change it later under Plan & Capacity. Team starts with no base package and is capped at 15 seats. Clinical is a net-new regulated account type (schema-per-patient, per-doctor keys, append-only audit); doctors mint their own provisioning keys later — an admin never holds one. You get its first ordinary memory key at creation.
Create the login your customer signs into the tenant console with. Leave the password blank to auto-generate a strong temporary one (shown once).
The tenant is ready. Open it to manage its plan, logins, seats, audit trail and lifecycle.
MFA is off. Enroll an authenticator to require a 6-digit code at sign-in.
MFA is on. To turn it off, re-authenticate with your current password (or a code).
About operators
Operators are the platform super-admins (separate from any tenant login). Add more, break-glass reset a locked-out operator's password or MFA, or remove one. The platform must always keep at least one operator. Secrets are shown once and never stored.
| Username | Role | MFA | Status | Last login | Actions |
|---|
About transfers
An individual can request to join a corporate tenant. The request itself is their explicit consent — governance changes from self-owned to tenant-governed (they lose self-purge and endpoint control). Approving runs an export-before snapshot, then re-associates their seat to the tenant, flips governance, and sets a permanent one-way lock (they cannot leave or move again). This cannot be undone — review the target carefully.
| Individual | Target tenant | Requested | Consent | Status | Actions |
|---|
About reset approvals
When a tenant admin requests a password reset for their console login and their account requires operator approval (default ON), the request is held here instead of emailing a link. Approving mints and emails the reset link (or a break-glass temp when email is off); denying discards it. This gates ONLY the control-plane login — the tenant's seats, memory, and MCP connection tokens are never affected. Per-account policy is set from each account's overview.
| Admin login | Account | Requested | Expires | Decision |
|---|
About signup approvals
While "new users require approval" is on (Platform tab, default ON), a new self-serve signup lands here instead of going live. Until you decide, that person is inert: they cannot sign in, they have no seat, no memory store, and no connection key — only a claimed email address.
Approve activates the login, provisions their private memory schema, starts their first-month-free clock, and emails them the welcome/introduction. Deny disables the login permanently (the email stays claimed so it can't be re-used to route around the decision) and sends nothing. Undecided requests expire automatically.
| Applicant | Name | Requested | From IP | Expires | Decision |
|---|
What this controls
Offline mode takes the product down for users — the memory API and the tenant/individual consoles all return a maintenance page. This console stays up, by design: it is where the switch lives, so it is exempt from its own kill-switch. Nothing is deleted or expired while offline; memory is untouched.
New users require approval holds every new signup for your decision (see the Signup approvals tab). Notification address is emailed when someone is waiting — the queue is the source of truth, so email is only a convenience.
Shown on the maintenance page users see. Leave blank for the default wording.
Turning this OFF means new signups go live immediately with no review.
The notify address is emailed when a signup is waiting. The From: must be an address your SMTP relay is allowed to send as.
About broadcasts
Compose a message that appears in the alert space of the consoles you target. Each recipient can dismiss it for themselves; deactivate to pull it from everyone. Messages are content-checked before they send. This is a heads-up channel (maintenance, notices) — it never touches memory or data.
| Audience | Severity | Subject | Sent | State | Action |
|---|
About global origins
Origins added here are allowed for every tenant, on top of each tenant's own list — use for shared infrastructure (e.g. a central OpenWebUI) so you don't repeat it per tenant. A tenant's own origins and its enable/disable toggle live on that tenant's Overview → Access control. Origins are the browser-facing allowlist; the connection key + per-tenant schema remain the data boundary.
| Global origin | Added | Actions |
|---|
What this shows
The platform's billing roster — every account with its plan, seat-tier mix, active seats, monthly recurring bill and contract status. The MRR figure is the sum of every account's current monthly bill. Drill into one account's full bill + ledger under Tenant → Billing. A manual tier override (operator comp) sets a seat's tier with no charge from the account's Users page.
| Account | Plan | Seat tiers | Seats | Monthly | Contract | Actions |
|---|
What this configures
Pick a payment provider and enter its credentials so a real checkout can light up later. This is the configuration surface only — no live card processing is wired yet, so a selected provider still resolves to the honest stub and nothing is charged until a real adapter is written. Credentials are encrypted at rest (never stored or shown in plaintext); saved secrets show as •••• set, write-only. Currency defaults to CAD.
What this configures
Point the platform at your SMTP relay (your own mail server) so it can send transactional email — today that is the individual "My Memory" password reset. The password is encrypted at rest (never stored or shown in plaintext); a saved password shows as •••• set, write-only. Use send test email to verify the relay before you flip enabled on. Nothing is emailed while disabled.
The reset email appends ?token=… to this URL. Leave blank to use the request origin.
Enabling the lane and buying patient capacity are the tenant's billing-gated actions in their own console. Patients are physically-isolated schemas; the elevated provisioning key and all PHI stay with the tenant/app.
| When | Actor | Action | Result | Key | Patient | Detail |
|---|
Default ON. When ON, a tenant admin's self-serve console-login reset is HELD in Reset approvals until you approve. Turning it OFF lets this tenant's admins reset their own console login directly by email. This never affects the tenant's seats, memory, or tokens.
About the account key
The account-level flk_ connection key is the bearer OpenWebUI uses for this whole tenant (distinct from per-seat tokens under Users). Rotate mints a new key and revokes the current one immediately — the tenant must re-key their OpenWebUI. Revoke kills a key now (use if one leaks). Full keys are shown ONCE and never re-displayed.
| Prefix | Label | Status | Created | Last used | Actions |
|---|
About the origin ACL
Restrict which browser origins may make authenticated calls for this tenant. ON = only listed origins (this tenant's + global) are allowed; OFF = any origin (less secure). It's defense-in-depth on top of the connection key — never the data boundary (that's the key + per-tenant schema). Server-to-server OpenWebUI calls carry no origin and are unaffected. Global origins apply to every tenant.
| Allowed origin | Scope | Added | Actions |
|---|
global origins apply to every tenant and are managed under Manage → Security.
| When | Source IP | Request |
|---|
| User | Type | Status | Ingest | Seen |
|---|
How this maps to the tenant
Capacity is per-seat — manage it under Plan & Capacity, change a seat's tier under Users, see charges under Billing.
A business-layer snapshot: the tenant owns their connection keys, per-user tokens, seat labels, TRAIN⇄SERVE editing and engine brain in their own console. Here you use Plan & Capacity (tier), Accounts (logins), Users (seats), Audit, and Danger Zone (suspend / lock / archive).
How capacity works
The base 5 Standard seats are included & immutable (shown locked). Provision more à-la-carte or by bundle. The ladder is standard → advanced → expert → agent; assign a user to a tier under Users. All amounts are CAD.
| Type | Licensed | Base | Provisioned | In use | CAD / mo | Actions |
|---|
Accounts vs Users
Accounts are the login-holders — the email/password logins your customer signs into their tenant console with (distinct from Users, the end-user seats). Add more than one, reset a password or MFA, or remove a login. Secrets are shown once and never stored.
| Username | Role | MFA | Status | Last login | Actions |
|---|
About end-user seats
Users are the tenant's end-user seats — the OpenWebUI users that become seats (distinct from Accounts, the login-holders). Oversight + control: read each seat's ingest state and deprovision to reclaim the seat. The operational label and the TRAIN⇄SERVE freeze are edited by the customer in their tenant console — read-only here.
When to assign a seat manually
For a standalone client that doesn't auto-seat through OpenWebUI. Leave the UUID blank to generate one.
A per-user connection token (flu_) is minted and shown once for a ready-to-connect
config. Cap-enforced — at the licensed limit, add capacity in Plan & Capacity first.
What each status does
Active = normal. Suspend = reversible pause. Lock = hard cutoff (every credential resolves to nothing). Archive = cold (moves to Trash). Only you can clear a tenant's panic lock. These apply to every account type.