Appearance
First admin account
ExchangePro does not ship a built-in admin@admin.com password. You create the first administrator during setup.
Security — first signup becomes admin
While no admin user exists, the next person who completes public registration (/signup) is automatically assigned role = admin and gains full control of the site (settings, users, funds workflow, HTML/CSS in CMS fields).
Anyone who signs up before you on a publicly reachable site becomes administrator. This is intentional for easy bootstrap, but you must treat open registration as a security risk until you have claimed admin.
Two ways to get your first admin
| Method | When to use |
|---|---|
| Demo seeder | Local install, CodeCanyon preview (php artisan db:seed) |
| Production signup | Live site — you register first at /signup |
Production bootstrap (signup)
Recommended order before going live:
- Finish backend and frontend install.
- Set
SEED_DEMO_ACCOUNTS=falseon production (do not leave demo passwords). - Register yourself at
/signupbefore sharing the site URL publicly. - Confirm you land on
/admin. - Admin → Settings → System → turn User registration off if you do not want public signups.
- Add other admins only via Users if needed.
Bootstrap flow
- Complete backend and frontend installation.
- Open the signup page:text
https://yourdomain.com/signup - Register with your real admin email and a strong password.
- If email verification is disabled in admin settings (default off until configured), you are signed in immediately.
- You are redirected to
/adminbecause your account hasrole = admin.
How it works (backend)
On POST /api/auth/signup, the API checks:
php
$isFirstAdmin = ! User::where('role', 'admin')->exists();
// ...
'role' => $isFirstAdmin ? 'admin' : 'user',The first account receives role = admin. All later signups receive role = user unless changed in admin.
Email verification
If System → Email verification is enabled:
- Signup returns
needsVerification: true. - User receives a 6-digit code by email.
- Complete verification on the signup flow before accessing the dashboard.
Configure SMTP first: Mail configuration.
Creating additional admins
- Sign in as admin → Users (
/admin/users). - Create a user and set role to admin, or edit an existing user.
- Optional: credentials email is sent when creating users from admin.
Security recommendations
| Practice | Why |
|---|---|
| Register admin before announcing the site | First public signup wins admin if none exists |
| Disable public registration after you have admin | Stops strangers from signing up at all |
Remove or protect /signup while testing on a public URL | Staging servers on the internet are discoverable |
| Use strong passwords | Admin = full platform control |
| Enable email verification | Slows automated abuse (does not replace locking registration) |
| Use HTTPS | Protects session cookies |
| Do not use demo seeded passwords on production | admin@example.com / password are public in docs |
If someone else became admin first
- Sign in with that account if it is yours (typo during testing), or
- From the database (or a trusted developer), set your user’s
roletoadminand demote the other account, or - On a fresh install only: reset DB and register again before the site is public.
Prevention is easier than recovery — register first, then disable registration.
Disable public registration
Admin → Settings → System configuration
Toggle User registration off when you only want admins to create accounts manually.
Demo accounts (seeder)
After php artisan migrate and php artisan db:seed (with SEED_DEMO_ACCOUNTS=true):
| Role | Password | URL after login | |
|---|---|---|---|
| Admin | admin@example.com | password | /admin |
| Customer | customer@example.com | password | /dashboard |
Sign in at {FRONTEND_URL}/signin. Copy-paste text for your CodeCanyon listing: backend/DEMO_CREDENTIALS.txt.
Re-running db:seed resets these accounts’ passwords to password.
For your live preview (exchangepro.xorinlab.com), paste the same credentials in the item description and change them on the server if needed.
Troubleshooting
| Issue | Solution |
|---|---|
Signed up but sent to /dashboard not /admin | An admin already exists; use admin user management |
| Cannot sign in after signup | Check email verification / SMTP |
| 403 on admin API | See Troubleshooting → Admin API |