User Management
4 min read
The Platform Administration panel provides tools for managing all users across the MCP Hub platform. Platform administrators can view user details, change plans, suspend or activate accounts, assign platform roles, and monitor user activity.
Accessing User Management
Platform administrators access user management at /admin/users in the web dashboard. Admin access is granted to users whose email addresses are listed in the ADMIN_USERS environment variable:
ADMIN_USERS=[email protected],[email protected]
The platform role is automatically assigned when the user logs in and their email matches the list.
User Listing
The user listing page displays all registered users with:
- Email and Name
- Plan: FREE, PRO, or ENTERPRISE (color-coded badge)
- Status: ACTIVE, SUSPENDED, or DELETED (with visual indicator)
- Platform Role: PLATFORM_ADMIN, MODERATOR, or none
- Created Date: When the account was registered
- Actions: Quick links to common operations
Filtering and Search
The listing supports:
- Text search: Search by name or email (case-insensitive).
- Status filter: Show only ACTIVE, SUSPENDED, or DELETED users.
- Plan filter: Show only FREE, PRO, or ENTERPRISE users.
- Role filter: Show only users with specific platform roles.
User Detail View
Clicking on a user opens their detail page (/admin/users/{userId}) with comprehensive information:
Profile Section
- Full name, email address, and avatar
- Auth0 ID (external identity provider reference)
- Account status and plan badges
- Platform role (if assigned)
- Account creation date and last login timestamp
User Statistics
- Total MCPs owned: Public and private MCP count
- Organizations: Number of organizations the user belongs to
- Watchlist items: Number of MCPs being tracked
Activity History
A chronological log of the user’s recent actions, including logins, MCP registrations, and other significant events.
User Actions
Create User
Platform administrators can manually create user accounts, bypassing the normal Auth0 registration flow:
POST /api/v1/admin/users
Required fields: name, email, and initial plan (FREE, PRO, or ENTERPRISE). This is useful for bulk onboarding, testing, and special provisioning scenarios.
Update User Details
Modify a user’s name or email address:
PUT /api/v1/admin/users/{userId}
Common uses include correcting data entry errors and processing email change requests.
Change User Plan
Upgrade or downgrade a user’s subscription plan:
PATCH /api/v1/admin/users/{userId}/plan
Plan changes take effect immediately. When upgrading, the user gains access to the new plan’s features right away. When downgrading, features beyond the new plan’s limits are no longer accessible, but existing data is preserved.
Assign Platform Role
Grant or revoke platform-level roles:
PATCH /api/v1/admin/users/{userId}/role
Available roles:
- PLATFORM_ADMIN: Full platform administration access.
- MODERATOR: Content moderation capabilities.
- null: Remove platform role (reverts to normal user).
Assigning the PLATFORM_ADMIN role grants unrestricted access to all platform data and operations. Use with caution and limit the number of platform administrators.
Blocking and Unblocking Users
Suspending a User
Suspension temporarily disables a user account:
POST /api/v1/admin/users/{userId}/suspend
A reason is required and recorded in the audit log. When suspended:
- The user cannot log in.
- All API tokens are invalidated.
- All user data remains intact.
- The action is fully reversible.
Common reasons for suspension: policy violations, fraudulent activity, security incidents, payment disputes.
Activating a User
Reactivate a suspended account:
POST /api/v1/admin/users/{userId}/activate
When activated:
- The user can log in again.
- API tokens must be regenerated (they were invalidated during suspension).
- All previously owned MCPs and organization memberships are restored.
Deleting a User
Soft-delete a user account:
DELETE /api/v1/admin/users/{userId}
Deletion sets the user status to DELETED. This is a soft delete – all data is preserved for audit and compliance purposes. The user cannot log in. Permanent data removal requires database-level cleanup.
Bulk Actions
For handling multiple accounts simultaneously:
Bulk Suspend:
POST /api/v1/admin/users/bulk/suspend
{
"user_ids": ["uuid1", "uuid2", "uuid3"],
"reason": "Policy violation - spam accounts"
}
Bulk Activate:
POST /api/v1/admin/users/bulk/activate
{
"user_ids": ["uuid1", "uuid2", "uuid3"]
}
Bulk actions are useful for handling spam waves, resolving incidents affecting multiple accounts, and mass reinstatement after false positives.
Viewing User Activity
Platform Audit Log
All administrative actions are recorded in the platform audit log:
GET /api/v1/admin/audit/users/{userId}
This shows all actions performed by or on the user, including:
user.create– Account creationuser.update– Profile changesuser.suspend– Account suspension (with reason)user.activate– Account reactivationuser.delete– Account deletionuser.plan_update– Plan changes (old and new plan recorded)user.role_change– Platform role assignment or revocation
Each audit event includes the administrator who performed the action, a timestamp, and the client IP address.
Investigating User Behavior
For security investigations, combine the user audit log with:
- Organization audit logs: See what the user did within specific organizations.
- Global audit log: Filter by user across all platform events.
- Login history: Check the last login timestamp and frequency.
Security Best Practices
- Minimize platform admins: Only add trusted individuals to
ADMIN_USERS. Periodically review the list. - Document suspension reasons: Always provide clear, specific reasons when suspending accounts for the audit trail.
- Test before bulk actions: Verify a single suspension/activation before applying bulk operations.
- Monitor for anomalies: Regularly review the admin audit log for unexpected actions.
- Use descriptive reasons: When suspending or making changes, the reason field should clearly explain the justification for future reference.