Platform Admin
Understand the internal cross-tenant admin console for Bilbis operators.
What this means
Platform Admin is the internal operator console for the whole Bilbis platform. It is separate from normal organization settings.
Use it only for cross-tenant support, billing operations, account investigation, or emergency access control. Normal organization admins should use the organization pages, not Platform Admin.
Before you start
You need a user account with the Platform admin flag.
If your account is not a platform admin, the admin console redirects you back to the normal organization area. The console does not show a partial read-only view to non-admin users.
Areas in Platform Admin
| Area | What it shows | Common use |
|---|---|---|
| Overview | Cross-tenant totals, plan breakdown, and the Encryption panel (vault health + DEK rotation). | Check platform-level activity, plan distribution, and master-key rollout status. |
| Organizations | All tenant organizations with search and status filters. | Find an org, inspect billing/support state, suspend or reactivate access. |
| Users | Cross-tenant user directory with search and detail dialogs. | Find a user, check memberships, review account state, manage platform-admin access. |
Overview
The Overview page shows platform-wide metrics:
| Metric | What it means |
|---|---|
| Total orgs | All organizations on the platform. |
| Active orgs | Organizations not currently suspended. |
| Active users | Users counted in the admin metrics response. |
| Pipelines MTD | Pipelines run month to date. |
| Plan breakdown | Organization count by Trial, Starter, Team, Business, and Enterprise. |
Use these numbers as operational signals, not customer-facing analytics.
Encryption
The Overview page also shows an Encryption panel that summarizes the platform's vault health and how DEKs are distributed across master-key versions.
Status banner
| State | What it means |
|---|---|
| Vault healthy | Every configured master key (MASTER_KEY_V* Wrangler secret) loaded cleanly. New DEKs wrap under the listed current version. |
| Vault unavailable | At least one configured master key failed to load (wrong length, invalid base64url, AES-KW import error). Pipeline writes that touch the vault return 503 vault_unavailable until the secret is fixed. The banner names the underlying error. |
If the banner is red, check the named secret in Wrangler before any tenant work resumes. Pipelines that need encryption will fail until it's healthy again.
Master keys
The panel lists every configured master-key version (for example mk_v1, mk_v2) with the current version flagged. Each row shows a 16-character fingerprint - a SHA-256 prefix of the raw secret. Click the fingerprint pill to copy it.
Use fingerprints to confirm rollouts:
- Compare the fingerprint shown in the admin console against what's stored in your password manager (1Password, etc.).
- Compare across environments to confirm staging and production share or differ on a master-key version intentionally.
The fingerprint never exposes the key itself - it's a stable identifier only.
DEK rotation
Each tenant organization has a per-tenant data-encryption key (DEK) wrapped by one master-key version. The chart shows how many organizations currently sit on each master-key version, with a percentage headline like 92% on mk_v2.
Use the chart to track rotation progress:
- After a new master key is added, you typically run a backfill that re-wraps each org's DEK under the new version.
- Rotation is complete when 100% of organizations sit on the current master-key version.
- A non-zero count on a non-current version means the backfill hasn't finished or some orgs were skipped.
The chart updates as DEKs are re-wrapped. The Refresh button forces a fresh server-side probe.
When to look at this panel
- After adding or rotating a master key.
- After a vault-related deploy.
- When tenant-side encryption errors spike.
- During scheduled key-rotation reviews.
For day-to-day support, the panel is informational. The status banner is the only signal that needs immediate operator attention.
Organizations list
The Organizations page lists every tenant on the platform.
You can:
- Filter by All, Active, or Suspended.
- Search by organization name, slug, or id.
- See plan, status, member count, month-to-date pipeline count, and last pipeline activity.
- Open an organization detail page.
Organization detail
The organization detail page shows:
| Section | What it includes |
|---|---|
| Header | Organization name, slug, id, plan, status, and operator actions. |
| Billing | Subscription status, billing interval, trial end, current period end, Stripe customer id, and created date. |
| Members | Users in the organization, role, membership status, and last login. |
| Recent pipelines | Recent pipeline ids, state, cost, and created time. |
| Recent Stripe events | Stripe webhook event type, id, and received time. |
Override plan
Use Override plan to force-set an organization's plan to Trial, Starter, Team, Business, or Enterprise.
This bypasses Stripe. Use it only for cases such as:
- comp accounts,
- sales-led trials,
- customer support corrections,
- emergency rollbacks.
The optional reason is recorded in the audit log.
Suspend or reactivate an organization
Use Suspend when an organization must be blocked from write actions.
Suspension blocks writes such as:
- new pipelines,
- member changes,
- credential changes.
Users can still authenticate and pay outstanding invoices. Use Reactivate to restore full write access. The optional reason is recorded in the audit log.
Users list
The Users page is a cross-tenant directory.
You can:
- Search by email or display name.
- See user memberships.
- See whether the user is active, email verified, or enrolled in two-factor authentication.
- See last login time.
- Open the user detail dialog.
User detail
The user detail dialog shows:
| Section | What it includes |
|---|---|
| Identity | Display name, email or username, user id, created date, and last login. |
| Account state | Active or deactivated, email verification, and two-factor status. |
| Memberships | Organizations the user belongs to, role, org slug, and revoked state. |
| Platform admin | Whether the user has cross-tenant operator access. |
Platform-admin actions
| Action | What it does | Risk |
|---|---|---|
| Grant platform admin | Gives a user access to the cross-tenant admin console. | High. Grants broad operator power. |
| Revoke platform admin | Removes cross-tenant admin access. | Medium. Can lock out an operator if done by mistake. |
| Delete user | Hard-deletes a user and cascades through memberships, sessions, and audit-trail links. | Very high. Refused if the user owns BYOK credentials. |
Use delete only when policy requires it and support has confirmed the target user. Prefer deactivation or organization-level removal when the normal app supports the case.
Problems and fixes
| Problem | What to check |
|---|---|
| You cannot open Platform Admin | Confirm your account has the platform-admin flag. Non-admins are redirected to the normal app. |
| Encryption banner is red | Read the named error and check the corresponding MASTER_KEY_V* Wrangler secret. Common causes: wrong byte length, invalid base64url, missing secret. |
| Vault fingerprint differs from your password manager | Either the secret in Wrangler differs from the value stored externally, or someone rotated one without updating the other. Reconcile before rolling forward. |
| DEK rotation chart shows orgs on an old master key after backfill | Backfill didn't cover those orgs. Re-run rotation and confirm the worker logs for each skipped org id. |
| Organization search returns nothing | Search by name, slug, or id. Clear status filters if needed. |
| You cannot override a plan | Check platform-admin access and whether the request failed server validation. |
| An org should still be able to pay while suspended | This is expected. Suspension blocks writes but still lets users authenticate and pay invoices. |
| User deletion fails | The user may own BYOK credentials or another backend constraint may block deletion. Review the error before retrying. |