Skip to content
ReArch DOCS

Users

ReArch supports multiple users with role-based access control. Administrators create and manage user accounts, assign roles, and control who can access the platform.

Roles

Section titled “Roles”

ReArch defines two roles:

RolePermissions
UserCreate conversations, send messages, commit and push changes, create pull requests, view own conversations.
AdminEverything a user can do, plus: manage users, configure LLM providers, manage MCP servers, manage skills, view jobs dashboard, access usage analytics, and modify application settings.

Account Statuses

Section titled “Account Statuses”
StatusDescription
ActiveThe user can log in and use the platform normally.
PendingThe account has been created but is awaiting approval. The user cannot log in.
SuspendedThe account has been deactivated by an administrator. The user cannot log in.

Creating Users

Section titled “Creating Users”

LOCAL Auth Mode

Section titled “LOCAL Auth Mode”
  1. Navigate to Administration > Users.
  2. Click Add User.
  3. Fill in the user’s email, name, and password.
  4. Select a role (user or admin).
  5. Click Save.

The user can now log in with their email and password.

Keycloak Auth Mode

Section titled “Keycloak Auth Mode”

When using AUTH_MODE=KEYCLOAK_FIREWALL, users are created in Keycloak, not in ReArch directly. The backend automatically creates a local user record when someone authenticates for the first time via Keycloak. Roles are synced from the Keycloak token on every request.

To create a user:

  1. Open the Keycloak admin console.
  2. Navigate to the rearch realm > Users > Add user.
  3. Set the email, name, and credentials.
  4. Assign the appropriate realm role (user or admin) in the Role mapping tab.

See Keycloak Setup for details.

Editing Users

Section titled “Editing Users”
  1. Navigate to Administration > Users.
  2. Click on a user to open their profile.
  3. Update the name, role, or status.
  4. Click Save.

In Keycloak mode, role changes should be made in Keycloak. The local record is updated on the user’s next authenticated request.

Suspending a User

Section titled “Suspending a User”

Set the user’s status to Suspended from the user management page. The user will be unable to log in or make API requests until reactivated. Existing conversations are preserved but become inaccessible to the suspended user.

Self-Registration

Section titled “Self-Registration”

In LOCAL mode, users can self-register if the Allow Signups setting is enabled in Administration > Settings. When disabled, only administrators can create accounts.

In Keycloak mode, user registration is controlled by the Keycloak realm settings.