feature: automated onboarding + confirmation #341

New Issue

MrUnknownDE · 2026-04-05T20:56:25+02:00

MrUnknownDE commented

2026-04-05 20:56:25 +02:00

Originally created by @cs4dev on 10/1/2025

This PR introduces a flow for creating organizations via a temporary bootstrap admin account:

Temp Account Creation

A short-lived “admin” account is spun up solely to bootstrap a new organization.

Authenticate Temp Account

The temp account authenticates via Client API to obtain an access_token.

Organization Creation

Using the token, the temp account creates the organization (/api/organizations).

A raw 32-byte organization key (org key) is generated at this step.

Invite Real Owner

Temp account sends an invite (/api/organizations/:id/invite) to the intended real owner’s email.

Real Owner Registers

Owner accepts the invite, sets a master password, and generates their RSA keypair (public/private).

Automated Confirmation + akey Injection

If invited_by_email matches the temp account, the invite is auto-confirmed.

The raw org key is encrypted with the owner’s public key.

The encrypted blob is stored as their akey.

Temp Account Leaves

Once ownership is handed over, the temp account is removed from the org (DELETE /api/organizations/:id).

*Originally created by @cs4dev on 10/1/2025* ## This PR introduces a flow for creating organizations via a temporary bootstrap admin account: ### Temp Account Creation A short-lived “admin” account is spun up solely to bootstrap a new organization. ### Authenticate Temp Account The temp account authenticates via Client API to obtain an access_token. ### Organization Creation Using the token, the temp account creates the organization (/api/organizations). A raw 32-byte organization key (org key) is generated at this step. ### Invite Real Owner Temp account sends an invite (/api/organizations/:id/invite) to the intended real owner’s email. ### Real Owner Registers Owner accepts the invite, sets a master password, and generates their RSA keypair (public/private). ### Automated Confirmation + akey Injection If invited_by_email matches the temp account, the invite is auto-confirmed. The raw org key is encrypted with the owner’s public key. The encrypted blob is stored as their akey. ### Temp Account Leaves Once ownership is handed over, the temp account is removed from the org (DELETE /api/organizations/:id).

MrUnknownDE closed this issue

2026-04-05 20:56:25 +02:00

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#341