--- title: User Management type: guide summary: Create and manage administrator accounts for your Distats Panel. related: - /docs/getting-started - /docs/cli-reference --- # User Management Overview [#overview] All panel administrator accounts are stored **locally** in a SQLite database at `@distats_panel/database.sqlite`. There is no external database, no MongoDB, no cloud service. Creating an admin user [#creating-an-admin-user] Use the Distats CLI to create a new administrator account: ```bash npx distats-cli@latest create-user ``` The CLI will prompt you for: 1. **Username** — the login name for the account 2. **Password** — a secure password (stored as a hashed value, never in plain text) What happens under the hood [#what-happens-under-the-hood] * The CLI reads your `@distats_panel/database.sqlite` database * The password is hashed using **Node.js `crypto.scrypt`** with a randomly generated salt * The resulting `{ username, hash, salt }` record is inserted into the `users` table * You can then log in at `http://localhost:3000` with those credentials Password security [#password-security] Distats Panel uses **scrypt** for password hashing — one of the strongest password derivation functions available in Node.js. | Property | Value | | ------------ | ---------------------------------------------------- | | Algorithm | `crypto.scrypt` (Node.js built-in) | | Salt | Randomly generated per user (128-bit) | | Storage | Hash + salt stored in SQLite | | Verification | Timing-safe comparison with `crypto.timingSafeEqual` | This approach is resistant to brute-force and rainbow table attacks. Session management [#session-management] Once a user logs in: * A **JWT** is created and signed using the `session_secret` from your config * The JWT is stored in an **HTTP-only**, encrypted cookie named `distats_session` * The cookie is automatically validated on every request by the Next.js middleware * When the session expires or is missing, the user is redirected to the login page HTTP-only cookies cannot be accessed by JavaScript running in the browser, which protects against XSS token theft. Logging out [#logging-out] Clicking the **Logout** button in the dashboard clears the `distats_session` cookie and redirects to the login page. Managing users via the Admin panel [#managing-users-via-the-admin-panel] The dashboard includes an **Admin → Users** page where you can view all administrator accounts registered in your local SQLite database. Future CLI versions may support deleting or updating accounts directly.