We have an application in which we do not want to allow open registration. We have built an invitation system that allows registration only with an invitation. But for the application a Genesis user must exist, because the invitations are only sent within the application.

For this purpose it would be useful to be able to add users within the admin panel. This would also be useful for testing purposes as we would not have to constantly invite ourselves to create a new account.

Can you expand a bit how you'd like this to work? Couple options as I see it:

• You add usernames in the admin panel, and then someone can claim a username by signing up with it (and would create their own password in the process).
• You can create invitation codes in the admin panel, and then someone can sign up using the invitation code (and create their own username/password in the process).

And you don't want to let any users sign up unless they use one of those 2 options^ to create an account?

The invitation system works like this:

A userbase database owner enters an e-mail address to invite a user. Then an invitation link is sent to this email address. If the user clicks on the link and registers an account, an entry is created in an unencrypted database outside userbase with all the information the database owner needs to add the user to the database. This is effectively a request to join a database. As soon as the database owner logs in or changes the page (if he is already logged in), the database is read and all open requests to "join" a userbase database are accepted.

There is no way to register without an invitation (as long as we leave out hacky ways). If we now set up a new userbase app, however, we have the problem that we do not have a link for the first user to register.

A pleasant solution to the problem would be if we could create the first user with password in the admin panel. Invitation codes wouldn't do us any favor, since we implemented the invitation system outside of userbase and I'm not sure if it would even be a good idea to include something like that in userbase.

If it won't work that way, we can always generate an initial invitation link ourselves and reset the database after that.

Ah, interesting!

Since the time you implemented this, we rolled out a new way to share databases that may come in handy here. You can now call share database like this:

userbase.shareDatabase({
  databaseName: 'example-database-name'
}).then(({ shareToken }) => {
  // Any other user can now open the database using this share token
}).catch((e) => console.error(e))

This way you can simply have your database owners email the share tokens. Then users can sign up and access the databases.

If you do go down this route of share tokens, be mindful that anyone with access to a share token can access the data in a database.

Would this help?

That might indeed help. A couple of questions about the share tokens:

• Do they expire at some point? That would possibly be important to let invitation links expire. It's also pretty important for us from a security standpoint.
• Once the user has opened the database with a share token, does he need the token again and again or is he then part of the database?

You can set 1 share token with read-only permissions, and 1 share token with write permissions on a database today. If you generate a share token via shareDatabase() when 1 already exists, the existing one will be overwritten with the new one.

Once the user has opened the database with a share token, does he need the token again and again or is he then part of the database?

He needs the token again and again. But once a user has opened the database, the user can insert something into the database, and the database owner can use that to then call shareDatabase() with that user's username so that he can become part of the database.