Authentication & permissions

This page covers how people sign in to DNS Panel and what they are allowed to do once they're in: login methods, the admin / user role, and the per-zone permission ladder.

Sign-in methods

Each user can sign in two ways:

• Passkey (WebAuthn). Passkeys are registered per user inside the panel under Settings. Registration and login use @simplewebauthn/server. Passkeys depend on the RP_ID and NEXTAUTH_URL environment variables matching the domain the panel is served on — see Installation & configuration.
• Password. A password login (email + password) is also available. Passwords are hashed with bcryptjs.

A user can have a passkey, a password, or both. The first admin sets these up after the initial /setup flow.

Roles

Every panel user has one of two roles:

• admin — sees all zones, manages users, toggles roles, and sets per-zone permissions for other users.
• user — sees only the zones they have been granted access to.

Admins can toggle another user's role between admin and user. Two guards protect the panel from locking everyone out:

• No self-demotion — an admin cannot remove their own admin role.
• Keep at least one admin — the last remaining admin cannot be demoted.

Per-zone permission ladder

Access to each zone is a strict 4-level ladder. A higher level includes everything below it:

Internally each level expands to a set of boolean flags (canView, canModify, canDelete), and the highest satisfied flag determines the displayed level:

• none → nothing
• view → canView
• edit → canView + canModify
• full → canView + canModify + canDelete

Permissions are stored in the panel's own database (the zone_permissions table), not in Technitium. Admins always see every zone regardless of these entries; users only see zones where their level is view or higher.

Related