Dyrecteddyrected
Guides

Separating Admin Auth

Use __admins to isolate dashboard access from your application's user accounts.

By default, the Admin UI logs in using the first collection with auth: true. This is fine for simple setups, but it means your frontend users (customers, members, subscribers) could potentially access the dashboard.

The __admins collection solves this by giving the dashboard its own dedicated login that is completely independent of your application's auth.


Define the __admins collection

Use the reserved slug __admins — a slug Dyrected treats specially, wiring it up as the dashboard's login — with auth: true:

const admins = defineCollection({
  slug: '__admins',
  auth: true,
  fields: [
    { name: 'name', label: 'Name', type: 'text' },
    { name: 'roles', label: 'Roles', type: 'multiSelect', options: ['admin', 'editor'] },
  ],
})

Once __admins exists, the Admin UI uses it as the sole login gateway. No other auth collection is considered for dashboard access, regardless of what other auth: true collections you have.


Your application auth stays the same

Collections like customers or members continue to use auth: true with their own independent login endpoints and session tokens — they just don't power the dashboard.

// Login as a customer — completely independent of admin sessions
const { token } = await client.collection('customers').login(email, password)

Why this matters

BenefitDetail
Security isolationA compromised frontend user account grants zero access to the dashboard.
Clean dataAdmin/staff users don't appear in customer lists or affect statistics.
Independent sessionsA user can be simultaneously logged in as an admin and as a customer in the same browser.

Admin UI auth priority

When the Admin UI loads, it resolves the login collection in this order:

  1. Look for a collection with slug __admins.
  2. If found, use it as the sole login gateway.
  3. If not found, fall back to the first collection with auth: true.

Migrating from a users collection

If you currently use a users (or similarly named) collection for admin access, rename the database table before restarting:

SQLite / PostgreSQL / MySQL:

ALTER TABLE collection_users RENAME TO collection___admins;

Then update your config:

Only the slug changes — your fields and the rest of the config stay exactly as they were:

// Before
const admins = defineCollection({ slug: 'users', auth: true, fields: yourFields })

// After
const admins = defineCollection({ slug: '__admins', auth: true, fields: yourFields })

Restart your server. The Admin UI will authenticate against the existing records in collection___admins.

If you restart before renaming the table, Dyrected will create a new empty collection___admins table and prompt you to create a first user. Your old data will still exist in collection_users but will be inaccessible to the admin system.

On this page