SendAuth Documentation

⌘K

Root Users

Break-glass accounts authenticated directly by SendAuth for emergency access and initial setup

Root users are special accounts authenticated directly by SendAuth rather than through external identity providers (IDPs). They serve as break-glass accounts for emergency access when your primary IDP is unavailable and are essential for initial system setup.

Overview

Root users are designed to provide reliable access to your SendAuth instance when external authentication systems fail. They authenticate using credentials stored directly in SendAuth and bypass the normal IDP authentication flow.

Root users have specific limitations and should only be used for emergency access and initial setup. They cannot authenticate other users or receive authentication requests.

When to Use Root Users

Initial Setup

  • First-time configuration: Set up your organization before configuring external IDPs
  • IDP configuration: Configure OpenID Connect and other authentication providers
  • Emergency preparation: Create break-glass accounts before fully relying on external authentication

Emergency Access

  • IDP outages: Access your system when external identity providers are down
  • Configuration errors: Fix authentication issues that lock out normal users
  • Recovery scenarios: Restore access when external authentication is misconfigured

Creating Root Users

Account Registration

  1. Navigate to the SendAuth app (app.sendauth.com)
  2. Click Create a new account on the sign-in page
  3. Provide the required information:
    • Email address: Must be unique within the system
    • Password: Minimum 10 characters, maximum 64 characters
    • Password confirmation: Must match the password
  4. Complete passkey setup for additional security
  5. Click Sign Up

Authentication Methods

Root users use dual authentication factors:

  • Password: Traditional password authentication
  • Passkey: WebAuthn-based passwordless authentication for enhanced security

Capabilities and Limitations

What Root Users Can Do

  • System administration: Full admin access to organization settings
  • User management: Create, modify, and delete regular users
  • Organization configuration: Set up IDP connections, domains, and authentication settings
  • Break-glass access: Emergency access when external authentication fails
  • Password reset: Self-service password recovery via email

What Root Users Cannot Do

  • Authenticate others: Cannot initiate or complete authentication requests for other users
  • Receive authentication requests: Cannot be the target of authentication challenges
  • Generate API keys: API key generation is restricted to regular users only
  • External integrations: Limited integration capabilities with external systems
Root users are automatically assigned the Admin role.

Password Management

Password Requirements

  • Minimum 10 characters
  • Maximum 64 characters
  • Must meet basic complexity requirements

Password Reset

If you forget your root user password:

  1. Go to the sign-in page
  2. Click Forgot Password?
  3. Enter your email address
  4. Check your email for the reset link
  5. Follow the link and set a new password
  6. Password reset tokens expire after 1 hour