Back to docs
Admin routes and environment
Admin pages, API routes, and configuration
All admin UI and API routes require an authenticated admin (NextAuth session withaccountType === "admin"or email in ADMIN_EMAILS). Protect with requireAdminSession(session, permission) in API routes.
Admin pages (under /admin)
| Path | Description |
|---|---|
| /admin | Dashboard (overview + Sendlar stats) |
| /admin/users | Users list (paginated, search, filter) |
| /admin/users/[id] | User detail, plan activation, email limits |
| /admin/emails | All emails (list, view, cancel scheduled) |
| /admin/templates | All templates (list, view) |
| /admin/images | All images (list) |
| /admin/smtp | SMTP configs per user (no secrets) |
| /admin/bots | Bots (list, view detail) |
| /admin/webhooks | Webhooks (list, URLs masked) |
| /admin/api-keys | Users with Sendlar API key (preview only) |
| /admin/system | DB health + env set/missing checklist |
| /admin/payments | Payments |
| /admin/products | Products |
| /admin/blog | Blog |
| /admin/portfolio | Portfolio |
| /admin/coupons | Coupons |
| /admin/projects | Projects |
| /admin/support | Support |
| /admin/subscriptions | Subscriptions |
| /admin/activity | Activity |
| /admin/settings | Settings |
Admin API routes (under /api/admin or /api/health)
| Method | Path | Description |
|---|---|---|
| GET | /api/admin/users | List users (paginated) |
| GET/PATCH/DELETE | /api/admin/users/[id] | User detail / update / delete |
| POST | /api/admin/users/[userId]/activate-plan | Activate Sendlar plan (body: plan, expiresAt?) |
| GET/PUT | /api/admin/users/[userId]/email-limits | Get/update email limits (monthlyLimit, addTokens, resetCycle) |
| GET | /api/admin/emails | List emails (page, limit, status, user, dateFrom, dateTo) |
| GET | /api/admin/emails/[id] | Email detail |
| POST | /api/admin/emails/[id]/cancel | Cancel scheduled/queued email |
| GET | /api/admin/templates | List templates (page, limit, q, user) |
| GET | /api/admin/templates/[id] | Template detail |
| GET | /api/admin/images | List images (page, limit, user) |
| GET | /api/admin/smtp | List SMTP configs (safe fields only) |
| GET | /api/admin/bots | List bots (page, limit, user, isActive, triggerType) |
| GET | /api/admin/bots/[id] | Bot detail |
| GET | /api/admin/webhooks | List webhooks (URLs masked) |
| GET | /api/admin/api-keys | List users with API key (key preview only) |
| GET | /api/admin/system/env | Env keys set/missing (names only) |
| GET | /api/health/db | DB connection status (no auth) |
Environment variables (admin / Sendlar)
| Variable | Purpose |
|---|---|
| ADMIN_EMAILS | Comma-separated emails allowed as admin (legacy allowlist) |
| ADMIN_ID | Optional: admin login ID (if using cookie-based /admin/login) |
| ADMIN_PASSWORD | Optional: admin login password (if using cookie-based /admin/login) |
| MONGODB_URI | MongoDB connection string |
| NEXTAUTH_SECRET | NextAuth secret |
| AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, AWS_S3_BUCKET | S3 (e.g. images) |
| EMAIL_HOST, EMAIL_USER, EMAIL_PASS | SMTP for app emails |
Admin auth
Use NextAuth and sign in with a user that has accountType === "admin" (Admin model) or email in ADMIN_EMAILS. Redirect to /login?callbackUrl=/admin when not authenticated.