Separating Admin Auth
Use __admins to isolate dashboard access from your application's user accounts.
By default, the Admin UI logs in using the first collection with auth: true. This is fine for simple setups, but it means your frontend users (customers, members, subscribers) could potentially access the dashboard.
The __admins collection solves this by giving the dashboard its own dedicated login that is completely independent of your application's auth.
Define the __admins collection
Use the reserved slug __admins — a slug Dyrected treats specially, wiring it up as the dashboard's login — with auth: true:
const admins = defineCollection({
slug: '__admins',
auth: true,
fields: [
{ name: 'name', label: 'Name', type: 'text' },
{ name: 'roles', label: 'Roles', type: 'multiSelect', options: ['admin', 'editor'] },
],
})Once __admins exists, the Admin UI uses it as the sole login gateway. No other auth collection is considered for dashboard access, regardless of what other auth: true collections you have.
Your application auth stays the same
Collections like customers or members continue to use auth: true with their own independent login endpoints and session tokens — they just don't power the dashboard.
// Login as a customer — completely independent of admin sessions
const { token } = await client.collection('customers').login(email, password)Why this matters
| Benefit | Detail |
|---|---|
| Security isolation | A compromised frontend user account grants zero access to the dashboard. |
| Clean data | Admin/staff users don't appear in customer lists or affect statistics. |
| Independent sessions | A user can be simultaneously logged in as an admin and as a customer in the same browser. |
Admin UI auth priority
When the Admin UI loads, it resolves the login collection in this order:
- Look for a collection with slug
__admins. - If found, use it as the sole login gateway.
- If not found, fall back to the first collection with
auth: true.
Migrating from a users collection
If you currently use a users (or similarly named) collection for admin access, rename the database table before restarting:
SQLite / PostgreSQL / MySQL:
ALTER TABLE collection_users RENAME TO collection___admins;Then update your config:
Only the slug changes — your fields and the rest of the config stay exactly as they were:
// Before
const admins = defineCollection({ slug: 'users', auth: true, fields: yourFields })
// After
const admins = defineCollection({ slug: '__admins', auth: true, fields: yourFields })Restart your server. The Admin UI will authenticate against the existing records in collection___admins.
If you restart before renaming the table, Dyrected will create a new empty collection___admins table and prompt you to create a first user. Your old data will still exist in collection_users but will be inaccessible to the admin system.