Admin Plugin

User management, banning, impersonation, and admin controls

Enable super admin capabilities - ban users, manage sessions, impersonate accounts for debugging, and perform user management operations.

This page is part of the Authentication documentation.

The admin plugin extends Better Auth with user management features for administrators. Super admins can ban/unban users, revoke sessions, and impersonate user accounts for debugging support issues. The plugin integrates with the kit's admin panel UI. Admin actions are logged for audit purposes. This plugin is separate from organization-level admin roles - it's for platform-wide super admin operations.

The admin plugin provides platform-level user management capabilities (banning, impersonation, session control) for users with the super admin role, distinct from organization-level permissions.

Use the admin plugin when: you need to manage users at the platform level - banning abusive users, debugging user issues via impersonation, or revoking compromised sessions.
Don't confuse with organization admins: Organization admins manage their team's members. Super admins manage all users on the platform.

Features

Feature	Description
User banning	Disable user accounts, preventing sign-in
Session revocation	Force sign-out across all devices
Impersonation	Sign in as another user for debugging
User listing	View and search all platform users
Role management	Assign super admin role to users

Admin Panel

The admin panel is available at /admin for users with the super admin role. It provides a UI for all admin operations.

For complete admin panel documentation, including setup and customization, see the Admin Overview.

Impersonation

Impersonation lets admins sign in as another user to debug issues they're experiencing. The admin's session is preserved - they can exit impersonation to return to their admin account.

// Start impersonation
await authClient.admin.impersonateUser({
  userId: 'user-to-impersonate',
});
// Exit impersonation (return to admin account)
await authClient.admin.stopImpersonation();

User Banning

Banned users cannot sign in. Their existing sessions are revoked when banned.

// Ban a user
await authClient.admin.banUser({
  userId: 'user-to-ban',
  reason: 'Terms of service violation',
});
// Unban a user
await authClient.admin.unbanUser({
  userId: 'user-to-unban',
});

Common Pitfalls

Impersonating without logging: Always log impersonation events for audit. The kit logs these by default.
Banning without reason: Store ban reasons for customer support context.
Forgetting to exit impersonation: The UI shows a banner during impersonation - don't ignore it.
Confusing super admin with org admin: Super admin is platform-wide. Organization admin is team-scoped.
No backup super admin: Always have at least two super admin accounts in case one is compromised.

Frequently Asked Questions

How do I become a super admin?

The first user to sign up can be set as super admin via database seeding, or an existing super admin can grant the role through the admin panel.

Are admin actions logged?

Yes. Impersonation, banning, and session revocation are logged with timestamps and the admin who performed the action.

Can I customize the admin panel UI?

Yes. The admin panel components are in packages/admin/src/components/. They use standard React components.

Is the admin API protected?

Yes. Admin endpoints require the super admin role. Regular users receive 403 Forbidden responses.

Can organization admins use these features?

No. Organization admins can only manage their organization members. Super admin features are platform-wide only.

Next: Database Configuration →