Admin Setup Locked
Admin accounts cannot be created from a public browser route.
Public admin registration is disabled
Acredia now requires administrators to be provisioned through a trusted backend/database setup path. New public signups are always treated as non-admin users until a trusted operator grants access.
Trusted admin allowlist
Set ADMIN_EMAIL_ALLOWLIST on the server with the email addresses that are allowed to use admin API routes.
Provision from Supabase
Create the user through a trusted Supabase/admin process and update that user's profile role to admin. Never grant admin through client-submitted signup metadata.