Add Users¶
This guide covers how to add other users to an existing space, assign them roles, and remove them when needed.
Prerequisites¶
- You are the space creator (or have
writecapability onauth/users/{any}). - You have the new user's user ID (
U...). They generate this from their own Ed25519 keypair.
How users get their user ID¶
Each user generates their own keypair independently. Their user ID is the public key encoded with a U prefix:
import os
from reeeductio.crypto import generate_keypair, to_user_id, to_space_id
private_key, public_key = generate_keypair()
symmetric_root = os.urandom(32) # will be shared with them by the space creator
user_id = to_user_id(public_key) # share this with the space creator
space_id = to_space_id(public_key) # their own space ID (for their private space)
print('My user ID:', user_id)
Adding a user (space creator / admin)¶
Step 1 — Register the user in the space¶
Step 2 — Share the symmetric root¶
The symmetric_root is the shared secret that unlocks encryption for the space. Send it to the new user over a secure channel (e.g. Signal, an encrypted email, or in-person).
Share the symmetric root securely
Anyone who has the symmetric_root can decrypt all content in the space. Never send it in plaintext over an untrusted channel.
Step 3 — Assign a role (optional but recommended)¶
Without a role, a newly added user has no capabilities and can't read or write anything. Assign them a role:
# First create the role if it doesn't exist yet
space.create_role('member')
space.grant_capability_to_role('member', 'read-topics', {'op': 'read', 'path': 'topics/{any}'})
space.grant_capability_to_role('member', 'post-topics', {'op': 'create', 'path': 'topics/{any}/messages/{any}'})
# Then assign it
space.assign_role_to_user('U...', 'member')
# Create role and grant capabilities
reeeductio-admin role create member
reeeductio-admin role grant member --cap-id read-topics --op read --path "topics/{any}"
reeeductio-admin role grant member --cap-id post-topics --op create --path "topics/{any}/messages/{any}"
# Assign to user
reeeductio-admin user assign-role U... --role member
The new user connects¶
Once added, the new user connects using the space ID and the shared symmetric_root, plus their own keypair:
Removing a user¶
Removing a user revokes their authorization state. They will no longer be able to authenticate with the server.
Encryption keys
Removing a user does not rotate the symmetric_root. They still have the copy you gave them. If you need to ensure a removed user cannot decrypt future messages, rotate the space's encryption keys by creating a new space and migrating members.
Granting direct capabilities (without a role)¶
For one-off permissions, you can grant a capability directly to a user:
Related¶
- Manage Permissions — in-depth roles and capabilities
- Tool Accounts — add bots and service accounts
- Access Control — concept overview