Console

The console (/api/v1/console/*) is the self-service surface behind the bloonio_chat_admin_ssr portal (port 4318). An admin registers (via email OTP), owns a workspace, and manages its tenants, operators, members and invitations there — without ever touching the platform admin key.

Authentication is a console token (console_token, HS256, ~7 days, kind=tenant_admin), scoped through workspace memberships.

Console vs X-Admin-Key

Tenant management describes the X-Admin-Key surface (platform operator). The console exposes equivalent operations (provision a tenant, rotate keys, etc.) but scoped to the logged-in admin’s workspace, via the console token.

Registration (public, via OTP)

Registration is a two-step flow and always lands in a workspace — created from organization_name, or joined via an invite_token.

1. Start — POST /console/register creates a PENDING account and sends an OTP by email. In local dev (ENV=local, SMTP not configured), the response returns the OTP in dev_otp.
2. Verify — POST /console/verify/registration validates the OTP, activates the account, creates (or joins) the workspace and returns a session.
3. Resend (if needed) — POST /console/resend/registration-otp.

curl $BASE_URL/api/v1/console/register \
  -X POST -H "Content-Type: application/json" \
  -d '{
    "email": "admin@acme.com",
    "password": "a-strong-passphrase",
    "display_name": "Alex Admin",
    "organization_name": "Acme Co"
  }'

Login and MFA

POST /console/login authenticates by email + password. The result is discriminated by redirect_to_mfa:

• false — no second factor: the full session (with console_token) is returned.
• true — a challenge_token and the mfa_factors list (for example ["email", "totp"]) are returned; you must complete a second factor.

Email OTP

# 1. Login → returns a challenge_token when redirect_to_mfa = true
curl $BASE_URL/api/v1/console/login -X POST -H "Content-Type: application/json" \
  -d '{"email":"admin@acme.com","password":"..."}'

# 2. Issue the second-factor OTP
curl $BASE_URL/api/v1/console/get/login-otp -X POST -H "Content-Type: application/json" \
  -d '{"challenge_token":"chl_..."}'

# 3. Verify the OTP → full session
curl $BASE_URL/api/v1/console/verify/login-otp -X POST -H "Content-Type: application/json" \
  -d '{"challenge_token":"chl_...","code":"123456"}'

TOTP (Bloonio Authenticator)

Email OTP is the always-available local factor. The TOTP factor (the Bloonio Authenticator app) is delegated to bloonio_auth_relay — chat_relay is itself a tenant of it. Verification is done via POST /console/verify/login-totp with the challenge_token and the totp code.

The console’s protected routes then require the Authorization: Bearer <console_token> header.

System console

The system console (/api/v1/console/system/*) is the platform-wide super-admin surface. An account is a super-admin when its is_system field is true — that is the only boolean that distinguishes an account.

404 semantics, not 403

The /system/* routes respond 404 (not 403) to a non-system account: the surface is not advertised. A caller without is_system therefore cannot even infer that these routes exist.

It exposes, among other things, platform counters and global reads:

Method	Path	Role
GET	/system/fetch/stats	Counters (workspaces, admins, tenants, operators, pending assignments)
GET	/system/fetch/workspaces	All workspaces
GET	/system/fetch/tenants	All tenants (?status=active|suspended)
GET	/system/fetch/admins	All accounts (hashes excluded)
POST	/system/suspend/tenant	Platform-wide suspension
POST	/system/reactivate/tenant	Reactivation

Bootstrap a super-admin

Three ways to create an is_system account, from strongest to weakest:

1. Deterministic seed (recommended). Set SYSTEM_ADMIN_EMAIL + SYSTEM_ADMIN_PASSWORD (and the optional SYSTEM_ADMIN_DISPLAY_NAME). At startup, the relay ensures a login-capable super-admin exists. Idempotent: an already-present account is promoted in place and its password is never reset. To run it on demand, without a redeploy:

   ENV=production python3 bash/seeds/bootstrap-system-admin.py \
     --email ops@bloonio.com --password '<strong-password>'

   Without --email/--password, the script falls back to SYSTEM_ADMIN_EMAIL / SYSTEM_ADMIN_PASSWORD from the .env selected by ENV.

2. Allowlist. Emails in the SYSTEM_ADMIN_EMAILS CSV become is_system as soon as they register or log in (they choose their own password).

3. Runtime break-glass hatch. Promote an existing account via the admin key:

   curl "$BASE_URL/api/v1/console/promote/console-admin?email=ops@bloonio.com" \
     -X POST -H "X-Admin-Key: YOUR_ADMIN_KEY"

Three distinct mechanisms

The seed creates/repairs a specific account (idempotent). The allowlist only promotes accounts that register themselves. The /promote hatch is the operator escape valve when the CSV cannot be edited and redeployed right away.

Next steps

• The exact public console surface. See the API reference.
• Manage tenants on the platform side. See Tenant management.
• Provision operators. See Operators.