Operational runbooks for SyntrixOne platform owners and workspace admins.
How the platform protects every workspace.
CLOSED_BETA_INVITE_CODE env var.
The invite code lives in the CLOSED_BETA_INVITE_CODE env var. POST /api/workspaces validates the code at creation time.
Rotate the code at any time by updating the env var — old codes immediately become invalid. Coordinate the rotation with sales so existing invites are honoured.
Required before any write.
Every account is created with `emailVerified=false`. The user must click the verification link before any write API will accept them.
Verification emails: 10 per email per day, 50 per IP per day, 60s cooldown between consecutive requests.
The current block list.
Blocked at registration: mailinator.com, guerrillamail.com (+ .info), sharklasers.com, tempmail.com, 10minutemail.com, yopmail.com, trashmail.com, throwawaymail.com, getairmail.com, dispostable.com, mintemail.com, maildrop.cc, tempr.email, fakeinbox.com.
POST /api/auth/register rejects these with HTTP 400 `disposable_email` BEFORE the rate-limit counter is incremented (so a flurry of disposable attempts does not lock out legitimate signups from the same IP).
enforceApprovalGate runs before trial gate.
Server-side: every POST/PATCH/PUT/DELETE on workspace-scoped routes runs through enforceApprovalGate. Non-approved workspaces return HTTP 403 with one of `workspace_pending_approval`, `workspace_rejected`, or `workspace_suspended`.
Bypass list: auth/*, billing/*, account*, profile, admin/*, platform/*, workspaces, webhooks/*, cron/*, health, demo-request, support*, pending-approval*.
Platform owners bypass the gate by design.
enforceTrialGate after approval.
After the approval gate, enforceTrialGate runs. For approved workspaces whose subscription has expired (`trialEndsAt < now` and not `active`), every write returns HTTP 402 `trial_expired`.
Reads continue to work. The TrialBanner on the dashboard layout soft-redirects users to /trial-expired.
Time-based one-time passwords.
Workspace owners can enable TOTP MFA from /dashboard/settings/security. 8 backup recovery codes are issued at setup; tell users to store them securely.
Platform owners should set up MFA on day one.
What is recorded.
Sensitive admin actions are appended to the audit log: workspace approval changes, role changes, MFA toggles, billing events, login/logout.
Owners can view the audit log from /dashboard/settings (audit-log tab). Platform owners have a global view across all workspaces.
Reach the SyntrixOne platform team or browse the user-facing Help Center.
