Admin Plugin

User management, banning, impersonation, and admin controls

Enable platform admin capabilities - ban users, manage sessions, impersonate accounts for debugging, and perform user management operations.

This page is part of the Authentication documentation.

The admin plugin extends Better Auth with user management features for administrators. Admin users can ban/unban users, revoke sessions, and impersonate user accounts for debugging support issues. The plugin integrates with the kit's admin panel UI. This plugin is separate from organization-level roles - it's for platform-wide admin operations.

The admin plugin provides platform-level user management capabilities (banning, impersonation, session control) for users whose role is included in the configured admin role set, distinct from organization-level permissions.

Use the admin plugin when: you need to manage users at the platform level - banning abusive users, debugging user issues via impersonation, or revoking compromised sessions.
Don't confuse with organization admins: Organization admins manage their team's members. Platform admins manage all users on the platform.

Features

Feature	Description
User banning	Disable user accounts, preventing sign-in
Session revocation	Force sign-out across all devices
Impersonation	Sign in as another user for debugging
User listing	View and search all platform users
Role management	Assign platform admin roles to users

Admin Panel

The admin panel is available at /admin for users with an allowed admin role. It provides a UI for all admin operations.

For complete admin panel documentation, including setup and customization, see the Admin Overview.

Impersonation

Impersonation lets admins sign in as another user to debug issues they're experiencing. The admin's session is preserved - they can exit impersonation to return to their admin account.

// Start impersonation
await authClient.admin.impersonateUser({
  userId: 'user-to-impersonate',
});
// Exit impersonation (return to admin account)
await authClient.admin.stopImpersonation();

User Banning

Banned users cannot sign in. Their existing sessions are revoked when banned.

// Ban a user
await authClient.admin.banUser({
  userId: 'user-to-ban',
  reason: 'Terms of service violation',
});
// Unban a user
await authClient.admin.unbanUser({
  userId: 'user-to-unban',
});

Common Pitfalls

Impersonating without logging: Always log impersonation events for audit. The kit logs these by default.
Banning without reason: Store ban reasons for customer support context.
Forgetting to exit impersonation: The UI shows a banner during impersonation - don't ignore it.
Confusing platform admin with org admin: Platform admin is app-wide. Organization admin is team-scoped.
No backup admin account: Keep at least two admin-capable accounts in case one is compromised.

Frequently Asked Questions

How do I become an admin?

Seed an admin user with pnpm seed, or update a user's role to one of the configured admin roles and have them sign back in.

Are admin actions logged?

Yes. Impersonation, banning, and session revocation are logged with timestamps and the admin who performed the action.

Can I customize the admin panel UI?

Yes. The admin panel components are in packages/admin/src/components/. They use standard React components.

Is the admin API protected?

Yes. Admin endpoints require an allowed admin role. Regular users receive forbidden responses.

Can organization admins use these features?

No. Organization admins can only manage their organization members. Platform admin features are app-wide only.

Next: Database Configuration →