> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getomni.co/llms.txt
> Use this file to discover all available pages before exploring further.

# User Management

> Managing users in your Omni instance

## Overview

Omni provides basic user management through the Admin panel. Users are stored in the database and can be managed via the UI or API.

<Tip>
  Omni supports **Google OAuth** out of the box, and optional enterprise [Single Sign-On (SSO)](/admin/sso) via Okta or Microsoft Entra ID. With SSO enabled, you can optionally disable password-based authentication.
</Tip>

## Managing Users

### Creating Users

1. Navigate to **Admin** → **Users**
2. Click **Add User**
3. Enter the user's email and name
4. Set a temporary password
5. Click **Create**

The user will be able to log in immediately with the temporary password.

### Editing Users

Select a user from the list to:

* Update their name or email
* Change their role (Admin or User)
* Disable or re-enable their account

### Resetting Passwords

To reset a user's password:

1. Select the user from the list
2. Click **Reset Password**
3. Enter a new temporary password
4. Share the temporary password with the user securely

Users can change their password after logging in via their profile settings.

### Deleting Users

1. Select the user from the list
2. Click **Delete**
3. Confirm the deletion

<Warning>
  Deleting a user is permanent and cannot be undone. Consider disabling the account instead if you may need to restore access later.
</Warning>

## User Roles

| Role       | Permissions                                                                       |
| ---------- | --------------------------------------------------------------------------------- |
| **Viewer** | Search and chat only — read-only access                                           |
| **User**   | Search, chat, and manage their own sources                                        |
| **Admin**  | All user permissions plus: manage users, configure connectors, access admin panel |

At least one admin must exist at all times.

## API Keys

Each user can create API keys for programmatic access to Omni's HTTP API. Keys are managed from the user's profile in **Settings** → **API Keys** (or via the `/api/v1/api-keys` endpoint).

| Scope      | Access                                                      |
| ---------- | ----------------------------------------------------------- |
| **Public** | Search and document read endpoints only (default)           |
| **User**   | User-level operations — chats, agents, own sources          |
| **Admin**  | Org-level administrative endpoints; requires the admin role |

When creating a key, you can optionally restrict it to an **allowed sources** list, which is intersected with the user's own access at request time.

Keys are shown in full exactly once at creation time. Omni stores a SHA-256 hash and a short prefix for later identification. Each user is capped at 25 active keys.

## Disabling Password Authentication

If [SSO is configured](/admin/sso), admins can disable password-based login:

1. Navigate to **Settings** → **Authentication**
2. Toggle off **Password Authentication**

<Warning>
  At least one other authentication method (Google OAuth, Okta, or Entra ID) must be active before password auth can be disabled. Additionally, the admin performing this action must have signed in via the other method at least once to prevent lockout.
</Warning>