Skip to content

2. Signing in to the admin area

Before you can manage any content you need to sign in. LexiScor uses a passwordless one-time code (OTP) flow — there is nothing to remember beyond your email address.

Getting an admin account

You cannot self-register. A superadmin must add your email address from the Admins page before you can sign in. Once your email is on the list you can sign in immediately — no welcome email is sent, you simply request a code yourself the first time.

The very first superadmin account is created automatically the first time the database is reset, using the email defined in the server's INITIAL_SUPERADMIN_EMAIL setting.

Step-by-step: signing in

  1. Open the application URL — in production this is https://lexiscor.ro/login.
  2. The Admin Login card appears. Type your admin email address.
  3. Click Send Code (the wording matches the active language).
  4. Within a few seconds a 6-digit code arrives in your inbox from noreply@lexiscor.ro (or whatever address has been configured). The code is valid for 10 minutes.
  5. Type the 6-digit code into the next screen and confirm. If the code is correct you are taken to the Dashboard.

If the code does not arrive:

  • Check the spam/junk folder.
  • Wait a minute and click Send Code again — the previous code is cancelled and a new one is issued.
  • After 3 wrong code attempts the code is invalidated and you must request a new one.

Rate limits to be aware of

To protect the system from abuse there are two limits:

  • Per email address — at most 3 code requests every 15 minutes.
  • Per device / network — at most 10 code requests every 60 minutes from the same IP address.

If you trigger a limit you will see a friendly error message; just wait it out before trying again.

How long does a session last?

After you sign in successfully the admin session lasts about 2 hours of inactivity. After that, you will be sent back to the login page next time you try to navigate. Simply request a new code and continue where you left off — no work is lost as long as you have already saved it (and most admin actions save automatically).

Signing out

The current admin's name and role appear on the right side of the top bar on every admin page (e.g. "Ana Popescu (admin)"). Next to it is a Sign Out button. Clicking it ends the session and returns you to the login page.

Two completely separate "logins"

LexiScor actually has two independent authentication systems that share the same OTP mechanism:

  • Admin auth — what this chapter is about. Used at /login and protects everything under /admin.
  • Public-user auth — an optional sign-in for pupils/parents that appears in the public quiz pages. It is used to claim diplomas and to link several attempts to the same account. See The public quiz experience for details.

The two systems do not share accounts. Adding someone as a public user does not give them admin access, and vice versa.