Users
The Users view lists every registered Lumio user across all accounts. It is primarily a read-only directory with one admin action: force-removing a user's login connection (for example, revoking a compromised Twitch OAuth link). Users themselves are never deleted from this UI; accounts own data, users only log in.
Where to find it
Admin sidebar → Users. The list lives at /users; detail pages live at /users/\{id\}.
Quick start
- Open Admin → Users.
- Search by display name or email using the top search bar.
- Click any row to open the user detail page.
- Inspect login connections and account memberships in the stacked cards.
- If a login provider needs to be detached, use the delete button on that connection row.
Detailed walkthrough
Users list (/users)
- Search — debounced 300 ms search on display name and email.
- Columns — Avatar + display name, Email, Created date, Last Login date.
- Pagination — 25 users per page; "Page X of Y (N users)" footer.
- Row click — navigates to
/users/\{id\}.
User detail (/users/[id])
Three cards:
- User Information — Email, User ID (copyable), Created At, Last Login.
- Login Connections — table of every identity provider the user has linked: Provider (Twitch, Google, etc.), Username on that provider, Connected Since timestamp. Each row has a delete action that calls the admin login-connection removal endpoint; the user will need to re-authenticate on that provider on next login.
- Account Memberships — table of every account the user belongs to: Account (linked to
/accounts/\{account_id\}), Plan badge, Role, Owner flag.
Common scenarios
- Abuse investigation — open a user, check their account memberships to see what data they control, then follow up in each account.
- Compromised OAuth — delete the affected login connection. The user must re-link that provider before using it again.
- Duplicate account merge — the admin UI does not merge users. Use the CLI/DB for merges; use this page to verify account memberships first.
- "Why can't user X log in?" — inspect Login Connections to confirm they still have at least one working provider link.
Permissions
| Action | Permission |
|---|---|
| View user list / detail | users:read |
| Delete a user's login connection | users:edit |
All actions additionally require admin:access. There is no users:delete UI surface — that permission exists in the RBAC constants but is not wired to any button today.
API
| UI action | GraphQL | REST |
|---|---|---|
| List users (paginated, searchable) | adminUsers | GET /v1/admin/users |
| Get user detail | adminUser | GET /v1/admin/users/\{id\} |
| Delete a login connection | adminDeleteUserLoginConnection | DELETE /v1/admin/users/\{id\}/login-connections/\{provider\} |
Tips & gotchas
- There is no ban / unban surface in the admin app today. Blocking a user from logging in is done by removing all of their login connections.
- There is no sessions management in the admin user view. Session admin is handled per-account by the account owner (see the user-facing docs for the sessions page).
- Memberships are surfaced read-only here. Changing a member's role happens inside the account itself, not from the admin panel.
- The list uses the Next.js proxy route
/api/userswhich calls the REST admin endpoint underneath.
Related
- Accounts — which accounts a user belongs to
- Audit Log — record of login / logout / admin events
- OAuth Clients — public OAuth apps that can act on behalf of users