ProductFeaturesDocs
Built InUI ComponentsAdmin ConsoleDatabaseBackendStorageAIRAGAuthSecurity
CompanyStoryAboutPricingBlogRoadmap
Install FLIN

Settings & Security

Admin accounts with bcrypt, session tokens, and optional 2FA via email or WhatsApp OTP.

bcrypt
Password Hashing
24h
Session Expiry
64-char
Token Length
2FA
Optional MFA

Security Features

Production-grade authentication from the very first request. No default credentials.

Admin Accounts (bcrypt)

Admin credentials are stored in .flindb/console_admin.json with bcrypt-hashed passwords. No plaintext, ever.

Session Tokens (24h)

64-character hex tokens stored in-memory with 24-hour expiry. No cookie-based sessions — tokens are validated on every request.

Email 2FA (OTP)

Optional email-based two-factor authentication. A 6-digit OTP is sent to the admin's email and must be verified within 10 minutes.

WhatsApp 2FA (OTP)

Optional WhatsApp-based two-factor authentication. Same 6-digit OTP, same 10-minute window — delivered via WhatsApp Cloud API.

How It Works

A setup wizard guides admin creation on first access. No hardcoded defaults, no insecure starting state.

Authentication Flow 
First visit to /_flin:
─────────────────────────────────────────

1. Setup Wizard (if no admin exists)
   ├── Step 1: Enter email + password
   ├── Step 2: Optional 2FA setup (email or WhatsApp)
   └── Step 3: Setup complete → redirect to login

2. Login Flow
   ├── POST /_flin/api/login { email, password }
   ├── bcrypt_verify(password, stored_hash)
   ├── If 2FA enabled:
   │   ├── Return { requires_2fa: true, temp_token: "..." }
   │   ├── Send 6-digit OTP (email or WhatsApp)
   │   └── POST /_flin/api/2fa/verify { temp_token, code }
   └── Return { token: "a4f8c2...64 hex chars" }

3. Session Management
   ├── Token stored in-memory HashMap
   ├── Validated on every /_flin/* request
   ├── Expires after 24 hours
   └── No cookies — token sent via Authorization header

Security Details

  • Passwords hashed with bcrypt — Industry-standard password hashing with automatic salt generation
  • 64-character hex session tokens — Cryptographically random, stored only in server memory
  • 24-hour token expiry — Sessions expire automatically, no stale sessions lingering
  • 6-digit OTP codes — Generated securely with 10-minute expiry for 2FA verification
  • In-memory token store — Tokens are not persisted to disk, reducing attack surface
  • Setup wizard enforces strong passwords — No admin/admin defaults, no insecure starting state

API Endpoints

Setup, authentication, and security management endpoints.

MethodEndpointDescription
POST/_flin/api/setupCreate the admin account (first-time setup)
GET/_flin/api/setup/statusCheck if admin account has been created
POST/_flin/api/admin/change-passwordChange the admin password (requires current password)
POST/_flin/api/admin/2fa/enableEnable 2FA with email or WhatsApp verification
POST/_flin/api/admin/2fa/disableDisable 2FA (requires current password confirmation)

Setup Wizard

Three steps from first visit to secured console.

Setup Flow 
Step 1 — Create Admin Account
  Email:    [email protected]
  Password: ••••••••••••••••  (minimum length enforced)

Step 2 — Two-Factor Authentication (optional)
  [ ] Enable email OTP
  [ ] Enable WhatsApp OTP
  → Verify with a test code to confirm setup

Step 3 — Complete
  ✓ Admin account created
  ✓ Password hashed with bcrypt
  ✓ 2FA configured (if enabled)
  → Redirect to login page

Secure from the First Request

Production-grade authentication from the moment you deploy. No admin/admin defaults — the setup wizard enforces a strong password before the console is accessible. Optional 2FA adds a second verification step via email or WhatsApp OTP, with 6-digit codes that expire in 10 minutes.

FLIN vs. Traditional Stacks

Traditional Stack

  • Configure admin authentication middleware separately
  • Set up bcrypt or argon2 password hashing manually
  • Build session management with Redis or database-backed tokens
  • Integrate a 2FA library (speakeasy, otplib) and build the UI
  • Ship with default admin credentials and hope someone changes them

FLIN

  • Setup wizard creates a secure admin account on first visit
  • Bcrypt password hashing built in, no configuration needed
  • In-memory session tokens with automatic 24-hour expiry
  • Optional 2FA via email or WhatsApp with one toggle
  • No default credentials — security enforced from day one