Create your workspace
After your first login — switch the admin password, invite teammates, set up your first team, and decide on roles.
You ran the Quickstart and you’re logged in as admin@localhost. Now make the workspace yours.
Rotate the admin credentials
The seeded admin (admin@localhost / admin) is meant for first login only. Either change the password from Settings → Profile, or set it explicitly via environment when starting:
ADMIN_EMAIL=[email protected] ADMIN_PASSWORD="$(openssl rand -base64 32)" \
docker compose up -d proxifaiFor production, point the platform at your existing identity provider — see Authentication → OIDC. When OIDC is enabled, the seeded admin still exists as a break-glass account but normal users authenticate through your IdP.
The default organization
ProxifAI seeds a single organization named default on first boot. Single-tenant deployments leave it as-is — every member, repo, and project lives under that one org. Multi-org is supported in the same binary if you want to partition by business unit or subsidiary; see Organizations.
Rename or set a slug from Settings → General.
Invite members
Settings → Members → Invite memberTwo routes for adding people:
| Route | When |
|---|---|
| Email invite | OSS first-party auth — you give them a link, they set a password |
| OIDC / SSO | They sign in once via your IdP and the account is provisioned automatically (just-in-time) |
pfai team members add <team-id> <user> works once they exist.
Default roles
Three workspace roles ship by default. Every one of the 35 permissions is bundled into a role’s permission set; assign one to each member from the invite dialog.
| Role | Built for |
|---|---|
| Owner | Full access including admin.access. Can delete the org. |
| Admin | Same as owner minus the super-admin bypass — the right default for engineering leads. |
| Member | Day-to-day contributor: create issues, write code, dispatch agents, run workflows. Cannot delete projects, edit integrations, or change settings. |
There’s no built-in “Viewer” role — read-only access is achieved by creating a custom role containing only *.read permissions.
Per-project roles exist too — viewer / member / lead — and override workspace permissions inside that project’s scope.
Create a team
Teams partition projects, sprints, and issue lists. Most orgs start with one team per engineering surface (Backend, Frontend, Platform).
Settings → Teams → New teamEach team needs:
- Name — display name
- Identifier — short uppercase prefix (2–6 chars) used in issue numbers, e.g.
BACKmakes issues readBACK-42
pfai team create "Backend" --identifier BACK
pfai team members add <team-id> alice bobA user can belong to multiple teams; per-team roles (owner / admin / member) are independent of the workspace role.
What’s wired up by default
Some boot-time defaults you can leave alone — or replace as you go:
| Default | Where to change | |
|---|---|---|
| LLM providers | None — set up at least one to use chat or agents | Settings → Model Providers or pfai model-provider create |
| Knowledge base | Disabled (KB_ENABLED=false) | Set the env var, point at Qdrant + Meilisearch + TEI |
| Container registry | Local registry on :5000 (Docker Compose only) | Front it with TLS in production |
| Branch protection | None | Per-repo, Repo Settings → Branch Protection |