Admin Console

Monitor connections, browse the semantic layer, review audit logs, and manage users from the web UI.

The admin console is a built-in web UI for managing your Atlas deployment. Access it at /admin in the Atlas web app.

Prerequisites

Managed auth enabled (or auth mode none for local dev)
A user with the admin role
When auth mode is none (local development), all users have implicit admin access

In SaaS mode, workspace admins see a subset of admin pages scoped to their workspace. Platform admins see all pages including cross-tenant management. In self-hosted mode, all admins see the full admin console.

Dashboard

Route: /admin

The dashboard shows deployment health at a glance:

Connections — Number of registered datasources
Entities — Tables and views in the semantic layer
Plugins — Installed plugins and their health status
Overall health — Aggregated status (healthy, degraded, unhealthy)

Component health checks show live status for each subsystem — Datasource, Internal DB, LLM Provider, Scheduler, and Sandbox — with latency, last-checked timestamp, and model/backend details where applicable.

Connections

Route: /admin/connections

Lists all registered datasource connections with their database type, description, health status, and latency.

Connection URLs are encrypted at rest when BETTER_AUTH_SECRET or ATLAS_ENCRYPTION_KEY is set.

Actions:

Add connection — Create a new datasource with URL, database type, and optional description. For PostgreSQL, an optional schema field is also available. The URL field supports a show/hide toggle for credential safety
Edit connection — Update an existing connection's URL, type, or description
Delete connection — Remove a connection (with confirmation dialog). The default connection cannot be deleted
Test connection — Runs a health check query against the datasource and reports latency and status

Pool Stats

A collapsible Pool Stats section shows real-time connection pool metrics for each datasource:

Active / Idle / Total connections with a visual bar
Queries — total queries executed through this pool
Errors — total errors and consecutive failure count
Avg time — average query execution time in milliseconds
Last drain — timestamp of the most recent pool drain

Drain & Recreate — closes all connections in a pool and creates a fresh one. Use this when a connection becomes stale or unresponsive. A 30-second cooldown prevents drain storms.

Pool warmup and auto-drain thresholds are configurable via ATLAS_POOL_WARMUP and ATLAS_POOL_DRAIN_THRESHOLD

Semantic Layer Browser

Route: /admin/semantic

A two-panel browser for exploring the semantic layer:

Left sidebar — File tree showing entities, metrics, glossary, and catalog
Right panel — Detail view with a Pretty / YAML toggle

In Pretty mode, entities show parsed dimensions, joins, measures, and query patterns with formatted tables. In YAML mode, the raw YAML source is displayed with syntax highlighting.

Browse entities by clicking them in the sidebar. The catalog shows use_for tags and common_questions. The glossary highlights ambiguous terms. Metrics display SQL, aggregation type, and objectives.

In SaaS mode, admins can create, edit, and delete entities directly from the UI with schema-aware autocomplete and full version history. See Semantic Editor for the full guide.

See Semantic Layer for the YAML format reference.

Schema Diff

Route: /admin/schema-diff

Compares the live database schema against the semantic layer YAML files to detect drift:

Summary cards — New tables (in DB, not in YAML), removed tables (in YAML, not in DB), changed tables (column-level drift), unchanged tables (in sync)
New tables — Green cards listing tables that exist in the database but have no corresponding entity YAML. Shows a suggestion to run atlas init --update
Removed tables — Red cards listing entity YAMLs that reference tables no longer in the database. Indicates stale entities that should be cleaned up
Changed tables — Amber expandable cards with a column-level diff table showing added columns, removed columns, and type mismatches between DB and YAML
In-sync state — When no drift is detected, shows a green success message

Multiple connections: If multiple datasource connections are registered, a connection selector dropdown appears in the page header. The diff is re-computed when you switch connections.

API endpoint: GET /api/v1/admin/semantic/diff?connection=<id> — returns structured JSON with newTables, removedTables, tableDiffs, unchangedCount, and a summary object.

Audit Log

Route: /admin/audit

Requires an internal database (DATABASE_URL). Without it, this page shows a feature gate message.

Two tabs: Log and Analytics.

Log

Shows every SQL query executed by the agent with:

Stats — Total queries, total errors, error rate
Log table — Timestamp, user, SQL query, tables accessed, duration, row count, success/failure

Data classification tags: Each audit entry includes tables_accessed and columns_accessed arrays extracted from the validated SQL AST. These enable compliance-grade filtering — answer questions like "which queries touched the users table?" without parsing SQL text.

Filters:

Table — Filter by table name (dropdown populated from audit data). Uses JSONB array matching on the tables_accessed column
Column — Filter by column name (dropdown populated from audit data). Uses JSONB array matching on the columns_accessed column
Date range (from/to)
Connection
Status (success/error)
Free-text search (SQL, user, error)
Pagination

Analytics

Charts and tables for query performance insights:

Query volume — Line chart showing queries and errors per day over the selected date range
Slowest queries — Top 20 queries ranked by average duration, with max duration and execution count
Most frequent queries — Top 20 queries ranked by execution count, with average duration and error count
Error breakdown — Bar chart grouping errors by message pattern
Per-user activity — Table showing query count, average duration, and error rate per user

Actions

Route: /admin/actions

Requires ATLAS_ACTIONS_ENABLED=true. Without it, this page shows a feature gate message.

Lists action log entries with status filtering:

Tabs — Pending, Executed, Denied, Failed, All
Table — Relative timestamps (hover for absolute), action type with icon badge, target, summary, status badge
Expandable rows — Full payload, timestamps, error details, and a link to the originating conversation (when available)
Empty states — Context-aware messages per filter tab

Actions:

Approve / Deny individual pending actions
Bulk approve / deny — Select multiple pending actions with checkboxes and approve or deny them in one operation. A "select all" toggle selects every pending action in the current view

See Actions Framework for details on approval modes.

Scheduled Tasks

Route: /admin/scheduled-tasks

Requires ATLAS_SCHEDULER_ENABLED=true.

Manages recurring queries:

Filter tabs — All, Enabled, Disabled
Table — Name, question, cron expression, delivery channel, next run time, enabled status
Expandable rows — Recent run history with status, timing, and token usage

Actions:

Create task — Form dialog with task name, natural language question, cron schedule (presets or custom expression with human-readable preview and next-run times), delivery channel (email, Slack, webhook), approval mode, and connection selector
Edit task — Same form, pre-populated with existing values
Toggle enabled/disabled
Run now — Trigger immediate execution

Run History

Route: /admin/scheduled-tasks/runs

Cross-task run history page showing all executions across all tasks (newest first).

Filters — Task name, status (running, success, failed, skipped), date range
Table — Task name, status badge, started timestamp, duration, token usage, error preview
Expandable detail — Full error message, timestamps, duration, token usage, links to conversation (and action, when applicable)

See Scheduled Tasks for setup and configuration.

Token Usage

Route: /admin/token-usage

Requires an internal database (DATABASE_URL). Without it, this page shows a feature gate message.

Tracks LLM token consumption across all agent interactions:

Summary cards — Total tokens, prompt tokens, completion tokens, total requests (with per-request averages)
Token usage over time — Area chart showing prompt and completion tokens per day
Top users — Table ranking users by total token consumption with prompt/completion breakdown

Filters:

Date range (from/to) — defaults to last 30 days

Token data is recorded automatically for every agent interaction (chat and query endpoints). When no internal database is configured, token usage is logged via pino only.

Plugins

Route: /admin/plugins

Manage installed plugins — enable/disable, health checks, and configuration.

In SaaS mode, the page includes a tabbed interface with Installed and Available tabs, providing a full plugin marketplace for browsing, installing, configuring, and uninstalling plugins. See Plugin Marketplace for the full guide.

In self-hosted mode, the page shows config-loaded plugins with:

Plugin cards — Each card shows name, type(s), version, health status, and enabled state
Health check — Trigger a live health probe for any plugin
Enable/disable toggle — Toggle a plugin on or off without restarting. Disabled plugins are skipped during agent execution (queries, hooks, tool registration)
Configure — Opens a config dialog with form inputs generated from the plugin's config schema. Secret values (API keys, tokens) are masked in the UI

Plugin enable/disable state and config overrides are stored in the internal database (DATABASE_URL). Without it, all plugins are enabled and configuration is read-only.

How it works:

Toggling a plugin immediately takes effect — disabled plugins are excluded from getByType() and getAllHealthy() calls in the agent loop
Config changes are saved to the plugin_settings table and take effect on next restart
Plugins that implement getConfigSchema() expose a typed form in the UI. Plugins without it show current config as read-only JSON

Settings

Route: /admin/settings

Manage application configuration from the UI. Settings follow a three-tier resolution: DB override > env var > default.

Grouped sections — Query Limits, Rate Limiting, Security, Sessions, Sandbox, Platform, Agent, Appearance, Secrets
Source badges — Each setting shows where its current value comes from:
- override (blue) — value saved in the internal database
- workspace-override (purple) — value saved per-workspace
- env (green) — value from an environment variable
- default (gray) — built-in default
Edit — Override any non-secret setting. Changes are saved to the internal database
Live vs Restart — Each setting shows whether changes take effect immediately (Live) or require a server restart (Requires restart). Query Limits, Rate Limiting, Sessions, Sandbox, and Appearance are live; Security, Platform, and Agent settings require a restart
Reset — Remove a DB override to revert to the environment variable or default value
Secrets — Sensitive settings (API keys, database URLs) are masked and read-only. Manage these via environment variables
SaaS mode — Workspace admins only see settings marked as workspace-visible. Platform admins see all settings. The response includes a deployMode field and a manageable flag indicating whether settings can be persisted

On app.useatlas.dev (SaaS mode), most settings are hot-reloadable — changes are picked up on the next request without a server restart. A few infrastructure settings (LLM provider, model) may still require redeployment to fully take effect. The restart requirement mainly applies to self-hosted deployments.

Settings overrides require an internal database (DATABASE_URL). Without it, the settings page is read-only — all values come from environment variables.

Available settings:

Section	Setting	Description	Scope
Query Limits	`ATLAS_ROW_LIMIT`	Maximum rows returned per query (default: 1000)	workspace
Query Limits	`ATLAS_QUERY_TIMEOUT`	Query timeout in ms (default: 30000)	workspace
Rate Limiting	`ATLAS_RATE_LIMIT_RPM`	Max requests per minute per user (0 = disabled)	workspace
Security	`ATLAS_RLS_ENABLED`	Enable row-level security	platform
Security	`ATLAS_RLS_COLUMN`	Column name for RLS filtering	platform
Security	`ATLAS_RLS_CLAIM`	JWT claim path for RLS value	platform
Security	`ATLAS_TABLE_WHITELIST`	Only allow semantic layer tables (default: true)	platform
Security	`ATLAS_CORS_ORIGIN`	Allowed CORS origin (default: *)	platform
Sessions	`ATLAS_SESSION_IDLE_TIMEOUT`	Seconds of inactivity before session invalidation (0 = disabled)	workspace
Sessions	`ATLAS_SESSION_ABSOLUTE_TIMEOUT`	Maximum session lifetime in seconds (0 = disabled)	workspace
Sandbox	`ATLAS_SANDBOX_BACKEND`	Sandbox backend for explore/Python tool isolation	workspace
Sandbox	`ATLAS_SANDBOX_URL`	Custom sidecar service URL (sidecar backend only)	workspace
Platform	`ATLAS_DEPLOY_MODE`	Deployment mode: auto, saas, or self-hosted	platform
Agent	`ATLAS_AGENT_MAX_STEPS`	Maximum tool-call steps per agent run (1–100, default: 25)	workspace
Agent	`ATLAS_PROVIDER`	LLM provider selection	platform
Agent	`ATLAS_MODEL`	Model ID override	platform
Agent	`ATLAS_LOG_LEVEL`	Application log level	platform
Appearance	`ATLAS_BRAND_COLOR`	Primary brand color in oklch format	platform
Secrets	`ANTHROPIC_API_KEY`	Anthropic provider API key (masked, read-only)	platform
Secrets	`OPENAI_API_KEY`	OpenAI provider API key (masked, read-only)	platform
Secrets	`DATABASE_URL`	Internal database connection string (masked, read-only)	platform
Secrets	`ATLAS_DATASOURCE_URL`	Analytics datasource connection string (masked, read-only)	platform

Learned Patterns

Route: /admin/learned-patterns

Requires an internal database (DATABASE_URL). Patterns are proposed by the agent during conversations or by the atlas learn CLI command.

Review, approve, and manage query patterns the agent has learned:

Stats — Total patterns, pending review, approved, rejected
Status filter — Tabs to filter by All / Pending / Approved / Rejected
Entity filter — Dropdown to filter by source entity (table)
Pattern table — Status badge, SQL pattern (monospace, truncated), description, source entity, confidence (progress bar), repetition count, source (Agent or CLI), created date

Detail sheet — Click any row to open a side panel with:

Full SQL pattern in a monospace block
Metadata (entity, source, confidence, repetitions, timestamps)
Review history (who reviewed, when)
Source queries that originated the pattern

Actions (per pattern):

Approve — Mark a pattern as approved
Reject — Mark a pattern as rejected
Delete — Permanently remove a pattern (with confirmation dialog)

Bulk actions:

Select multiple patterns with checkboxes
Approve selected / Reject selected — Update all selected patterns at once (max 100 per operation)

All status changes record the reviewer and timestamp. Approve/reject use optimistic UI updates — the table updates immediately, reverting on failure.

Prompt Library

Route: /admin/prompts

Requires an internal database (DATABASE_URL). Atlas ships with three built-in collections; admins can create custom collections for their organization.

Manage curated prompt collections — pre-written questions organized by industry that help users get started with common analyses.

Built-in Collections

Atlas seeds three built-in collections on first boot:

SaaS Metrics — MRR, churn, LTV, CAC, ARPU, and growth indicators
E-commerce KPIs — GMV, AOV, conversion rates, inventory, and fulfillment metrics
Cybersecurity Compliance — vulnerability tracking, incident response, and compliance scores

Built-in collections are read-only and visible to all users.

Custom Collections

Admins can create custom prompt collections scoped to their organization:

Click Create Collection and fill in the name, industry, and description
Add prompt items with questions, descriptions, and categories
Reorder items within a collection
Custom collections are only visible to members of the admin's organization

Chat Integration

Users can access the prompt library from the chat interface via the book icon in the header. Clicking a prompt immediately sends it as a question.

Cache

Route: /admin/cache

Query caching is enabled by default. Set ATLAS_CACHE_ENABLED=false to disable it. When disabled, the page shows zeroed stats with an inline notice.

Displays query result cache statistics and provides a manual flush control:

Hit Rate — Cache hit percentage with a visual progress bar, plus hit and miss counts
Storage — Current entry count vs max size, fill percentage, and TTL
Flush Cache — Removes all cached entries with a confirmation dialog. After flushing, subsequent queries hit the database directly until the cache repopulates

API endpoints:

Method	Path	Description
`GET`	`/api/v1/admin/cache/stats`	Cache hit rate, entry count, max size, TTL
`POST`	`/api/v1/admin/cache/flush`	Flush all cached entries

Sessions

Route: /admin/sessions

Requires managed auth with an internal database (DATABASE_URL). Not available in simple-key, BYOT, or no-auth modes.

Manage active user sessions across all users:

Stats — Total sessions, active sessions, unique users
Search — Filter by email or IP address
Session table — User, created time, last active, IP address, user agent

Actions:

Revoke session — Immediately invalidate a specific session (user gets 401 on next request)
Revoke all for user — Force logout a user across all devices
Bulk revoke — Select multiple sessions and revoke them at once

Session Timeouts

Configure automatic session timeout policies via environment variables or atlas.config.ts:

Setting	Env Var	Description	Default
Idle timeout	`ATLAS_SESSION_IDLE_TIMEOUT`	Seconds of inactivity before invalidation	`0` (disabled)
Absolute timeout	`ATLAS_SESSION_ABSOLUTE_TIMEOUT`	Max session lifetime in seconds	`0` (disabled)

// atlas.config.ts
export default defineConfig({
  session: {
    idleTimeout: 3600,       // 1 hour idle timeout
    absoluteTimeout: 86400,  // 24 hour absolute timeout
  },
});

These can also be changed at runtime via Admin > Settings without a server restart.

User Self-Service

Non-admin users can manage their own sessions via GET /api/v1/sessions and DELETE /api/v1/sessions/:id. Users can only see and revoke their own sessions.

User Management

Route: /admin/users

Requires managed auth with the Better Auth admin plugin. Not available in simple-key, BYOT, or no-auth modes.

Full user management with stats and controls:

Stats — Total users, admins, analysts, viewers
Search — Filter by email
Role filter — Filter by role

Actions (per user):

Change role — Set to viewer, analyst, or admin
Ban/unban — Temporarily or permanently ban a user
Revoke sessions — Force logout across all devices
Delete — Permanently remove user and sessions

Invite users:

Invite user button opens a dialog with email input and role selector
If RESEND_API_KEY is configured, an invitation email is sent automatically
If no email delivery is configured, the dialog shows a one-time invite link to copy and share manually
Invited users are assigned the selected role automatically on signup
Pending invitations section shows outstanding invitations with status (pending, accepted, expired, revoked) and expiry date
Admins can revoke pending invitations

Safety guards:

Cannot change your own role
Cannot ban or delete yourself
Cannot demote or delete the last admin

Workspace Management

Route: /admin/organizations

Requires managed auth with an internal database (DATABASE_URL). Platform-wide view — admins see all organizations, not just their own.

Manage workspaces (organizations) across the platform:

Organization list — Name, slug, status badge (active/suspended/deleted), plan tier, member count, creation date
Detail view — Members with roles, pending invitations, creation date, and metadata
Stats — Member count, conversation count, query count per organization

Workspace Status

Status	Description
Active	Normal operation — queries and agent interactions are allowed
Suspended	All queries blocked. Connection pools drained. Can be reactivated
Deleted	Soft-deleted with cascading cleanup. Pools drained, caches flushed, data marked for removal

Actions

Suspend — Block all queries for a workspace. Drains the org's connection pools immediately. Use this for billing holds, abuse prevention, or maintenance windows
Activate — Reactivate a suspended workspace. Queries resume immediately
Delete — Soft-delete with cascading cleanup: drain pools, flush caches, cascade database cleanup, mark as deleted. This is not reversible from the UI
Change plan — Set a workspace's plan tier: free, team, or enterprise

Health Status

The organization status endpoint (GET /admin/organizations/:id/status) returns workspace health metrics:

Members — Total member count
Conversations — Total conversations
Queries last 24h — Recent query volume
Connections — Registered datasource count
Scheduled tasks — Active task count
Pool metrics — Connection pool stats (if org-scoped pooling is enabled)

Admin API

Method	Path	Description
`GET`	`/organizations`	List all organizations
`GET`	`/organizations/:id`	Get org details with members and invitations
`GET`	`/organizations/:id/stats`	Org stats (members, conversations, queries)
`GET`	`/organizations/:id/status`	Workspace health summary
`PATCH`	`/organizations/:id/suspend`	Suspend workspace
`PATCH`	`/organizations/:id/activate`	Reactivate workspace
`DELETE`	`/organizations/:id`	Soft-delete workspace
`PATCH`	`/organizations/:id/plan`	Update plan tier

See Usage Metering for per-workspace usage tracking.

API Keys

Route: /admin/api-keys

Create and manage API keys for programmatic access via the SDK, MCP server, or embeddable widget. Keys are shown once at creation and cannot be retrieved later.

See API Key Management for the full guide.

Integrations

Route: /admin/integrations

Connect and manage external platform integrations — Slack, Microsoft Teams, Discord, Telegram, and webhooks — from a single page. Each integration shows its connection status and provides connect/disconnect actions.

See Integrations Hub for the full guide.

Sandbox / Execution Environment

Route: /admin/sandbox

In self-hosted mode, configure which sandbox backend the explore and Python tools use via a dropdown selector. In SaaS mode, the page shows an integration card grid where workspace admins connect their own cloud sandbox providers (Vercel, E2B, Daytona) alongside the managed Atlas Cloud Sandbox.

See Sandbox Configuration for the full guide.

Data Residency

Route: /admin/residency

SaaS Feature

Data residency is available on app.useatlas.dev. Self-hosted deployments can configure regions via the platform admin API, but the admin UI is optimized for the SaaS experience.

Control where your workspace data is stored and request region migrations.

Viewing Your Region

When a region is assigned, the page displays:

Current region — Name, region ID, and compliance badge (e.g. "GDPR compliant" for EU regions, "SOC 2 compliant" for US regions)
Assignment date — When the region was first assigned
Status — Active badge confirming the region is serving traffic

Requesting a Region Migration

Migration moves all workspace data between regions. Some features may be temporarily unavailable during the process.

To migrate to a different region:

Click Change Region on the Data Region card
Select the target region from the available options — your current region is shown for reference
Review the migration summary (current region → target region with compliance badges)
Click Request Migration, then confirm in the confirmation dialog

Migration Phases

Once submitted, a migration progresses through these phases:

Phase	Status	What Happens
Pending	Queued	Migration request is queued for processing. You can cancel at this stage
In Progress	Migrating	Data is being replicated from the source to the target region. Some features may be temporarily unavailable
Completed	Done	All data has been moved to the target region. The workspace is now serving from the new region
Failed	Error	The migration could not be completed. You can retry or contact support
Cancelled	Stopped	The migration was cancelled before processing began

What to Expect During Migration

A status banner at the top of the page shows real-time migration progress
Pending migrations can be cancelled before processing begins
Failed migrations can be retried with a single click
Only one migration can be active at a time — the "Change Region" button is disabled while a migration is pending or in progress
After completion, the Data Region card updates to reflect the new region

Residency Admin API

Method	Path	Description
`GET`	`/api/v1/admin/residency`	Current region status and available regions
`PUT`	`/api/v1/admin/residency`	Assign initial region (body: `{ region }`)
`GET`	`/api/v1/admin/residency/migration`	Current migration status
`POST`	`/api/v1/admin/residency/migrate`	Request region migration (body: `{ targetRegion }`)
`POST`	`/api/v1/admin/residency/migrate/:id/retry`	Retry a failed migration
`POST`	`/api/v1/admin/residency/migrate/:id/cancel`	Cancel a pending migration

Custom Domain

Route: /admin/custom-domain

Enterprise Feature

Custom domains require an Enterprise plan on app.useatlas.dev. The page shows an upgrade prompt if your workspace is on a lower plan.

Serve Atlas from your own domain (e.g. data.acme.com) with automatic TLS certificate provisioning.

Adding a Custom Domain

Navigate to Admin Console → Custom Domain
Enter your desired subdomain (e.g. data.acme.com) — use a subdomain, not a root domain
Click Add Domain

Atlas generates a CNAME target that you need to configure in your DNS provider.

DNS Verification

After adding a domain, a DNS configuration card appears with the required CNAME record:

Field	Value
Type	`CNAME`
Name	Your domain (e.g. `data.acme.com`)
Value	The generated CNAME target (copy with the clipboard button)

Add this record to your DNS provider (Cloudflare, Route 53, Google Cloud DNS, etc.). DNS propagation may take up to 48 hours.

Checking Verification Status

Click Check Status to trigger a verification check. The domain progresses through these statuses:

Status	Badge	Meaning
Pending	Pending Verification	CNAME record not yet detected — DNS may still be propagating
Verified	Active	CNAME verified and TLS certificate issued — domain is serving traffic
Failed	Failed	Verification failed — check that your CNAME record is correctly configured

Removing a Domain

Click Remove Domain and confirm in the dialog. This immediately stops serving traffic on the custom domain. The action cannot be undone — you would need to add and verify the domain again.

Domain Admin API

Method	Path	Description
`GET`	`/api/v1/admin/domain`	Get current domain configuration
`POST`	`/api/v1/admin/domain`	Add a custom domain (body: `{ domain }`)
`POST`	`/api/v1/admin/domain/verify`	Trigger DNS verification check
`DELETE`	`/api/v1/admin/domain`	Remove custom domain

API Endpoints

All admin endpoints are at /api/v1/admin/ and require the admin role. See the SDK for typed client methods.

Method	Path	Description
`GET`	`/overview`	Dashboard stats + component health
`GET`	`/connections`	List connections
`GET`	`/connections/:id`	Get connection detail
`POST`	`/connections`	Create connection
`PUT`	`/connections/:id`	Update connection
`DELETE`	`/connections/:id`	Delete connection
`POST`	`/connections/test`	Test connection by URL
`POST`	`/connections/:id/test`	Test saved connection
`GET`	`/semantic/entities`	List entity summaries
`GET`	`/semantic/entities/:name`	Get entity detail
`GET`	`/semantic/metrics`	List all metrics
`GET`	`/semantic/glossary`	Get glossary
`GET`	`/semantic/catalog`	Get catalog
`GET`	`/semantic/stats`	Semantic coverage stats
`GET`	`/semantic/diff`	Schema diff (DB vs YAML)
`PUT`	`/semantic/entities/edit/:name`	Create/update entity (structured JSON)
`DELETE`	`/semantic/entities/edit/:name`	Delete entity
`GET`	`/semantic/columns/:tableName`	Column metadata for autocomplete
`GET`	`/semantic/entities/:name/versions`	Entity version history
`GET`	`/semantic/entities/versions/:versionId`	Version detail with YAML
`POST`	`/semantic/entities/:name/rollback`	Rollback to previous version
`GET`	`/semantic/org/entities`	List org-scoped entities
`GET`	`/semantic/org/entities/:name`	Get org entity detail
`PUT`	`/semantic/org/entities/:name`	Create/update org entity
`DELETE`	`/semantic/org/entities/:name`	Delete org entity
`GET`	`/cache/stats`	Cache statistics (hit rate, entries, TTL)
`POST`	`/cache/flush`	Flush all cached entries
`GET`	`/audit`	Query audit log (supports `table` and `column` filters)
`GET`	`/audit/stats`	Audit aggregates
`GET`	`/audit/facets`	Distinct tables and columns for filter dropdowns
`GET`	`/audit/analytics/volume`	Query volume per day
`GET`	`/audit/analytics/slow`	Slowest queries
`GET`	`/audit/analytics/frequent`	Most frequent queries
`GET`	`/audit/analytics/errors`	Error breakdown
`GET`	`/audit/analytics/users`	Per-user activity
`GET`	`/tokens/summary`	Token usage summary
`GET`	`/tokens/by-user`	Top users by token consumption
`GET`	`/tokens/trends`	Daily token usage time series
`GET`	`/settings`	List all settings with values and sources
`PUT`	`/settings/:key`	Set or update a settings override
`DELETE`	`/settings/:key`	Remove override (revert to env/default)
`GET`	`/plugins`	List plugins
`POST`	`/plugins/:id/health`	Plugin health check
`POST`	`/plugins/:id/enable`	Enable a plugin
`POST`	`/plugins/:id/disable`	Disable a plugin
`GET`	`/plugins/:id/schema`	Get config schema and values
`PUT`	`/plugins/:id/config`	Update plugin config
`GET`	`/plugins/marketplace/available`	List available marketplace plugins
`POST`	`/plugins/marketplace/install`	Install marketplace plugin
`DELETE`	`/plugins/marketplace/:id`	Uninstall marketplace plugin
`PUT`	`/plugins/marketplace/:id/config`	Update marketplace plugin config
`GET`	`/sessions`	List all sessions
`GET`	`/sessions/stats`	Session count stats
`DELETE`	`/sessions/:id`	Revoke a session
`DELETE`	`/sessions/user/:userId`	Revoke all sessions for user
`GET`	`/users`	List users
`GET`	`/users/stats`	User stats
`PATCH`	`/users/:id/role`	Change role
`POST`	`/users/:id/ban`	Ban user
`POST`	`/users/:id/unban`	Unban user
`POST`	`/users/:id/revoke`	Revoke sessions
`DELETE`	`/users/:id`	Delete user
`POST`	`/users/invite`	Invite user by email
`GET`	`/users/invitations`	List invitations
`DELETE`	`/users/invitations/:id`	Revoke invitation
`GET`	`/learned-patterns`	List learned patterns (supports `status`, `source_entity`, `min_confidence`, `max_confidence` filters)
`GET`	`/learned-patterns/:id`	Get single learned pattern
`PATCH`	`/learned-patterns/:id`	Update pattern (description, status)
`DELETE`	`/learned-patterns/:id`	Delete learned pattern
`POST`	`/learned-patterns/bulk`	Bulk approve/reject (body: `{ ids, status }`, max 100)
`GET`	`/prompts`	List prompt collections
`POST`	`/prompts`	Create prompt collection
`PATCH`	`/prompts/:id`	Update prompt collection
`DELETE`	`/prompts/:id`	Delete prompt collection
`POST`	`/prompts/:id/items`	Add item to collection
`PATCH`	`/prompts/:collectionId/items/:itemId`	Update item
`DELETE`	`/prompts/:collectionId/items/:itemId`	Delete item
`PUT`	`/prompts/:id/reorder`	Reorder items (body: `{ itemIds }`)
`GET`	`/suggestions`	List query suggestions (supports `table`, `min_frequency`, `limit`, `offset` filters)
`DELETE`	`/suggestions/:id`	Delete a query suggestion
`GET`	`/organizations`	List all organizations
`GET`	`/organizations/:id`	Get org details with members
`GET`	`/organizations/:id/stats`	Org stats
`GET`	`/organizations/:id/status`	Workspace health summary
`PATCH`	`/organizations/:id/suspend`	Suspend workspace
`PATCH`	`/organizations/:id/activate`	Reactivate workspace
`DELETE`	`/organizations/:id`	Soft-delete workspace
`PATCH`	`/organizations/:id/plan`	Update plan tier
`GET`	`/usage`	Current period usage summary
`GET`	`/usage/history`	Historical usage summaries
`GET`	`/usage/breakdown`	Per-user usage breakdown
`GET`	`/sso/providers`	List SSO providers
`GET`	`/sso/providers/:id`	Get SSO provider detail
`POST`	`/sso/providers`	Create SSO provider
`PATCH`	`/sso/providers/:id`	Update SSO provider
`DELETE`	`/sso/providers/:id`	Delete SSO provider
`GET`	`/integrations/status`	Get all integration statuses
`DELETE`	`/integrations/slack`	Disconnect Slack
`DELETE`	`/integrations/teams`	Disconnect Teams
`DELETE`	`/integrations/discord`	Disconnect Discord
`POST`	`/integrations/telegram`	Connect Telegram (validates bot token)
`DELETE`	`/integrations/telegram`	Disconnect Telegram
`GET`	`/sandbox/status`	Get sandbox configuration, backends, and connected providers
`POST`	`/sandbox/connect/{provider}`	Validate and save BYOC sandbox credentials
`DELETE`	`/sandbox/disconnect/{provider}`	Remove BYOC sandbox credentials
`GET`	`/residency`	Current region status and available regions
`PUT`	`/residency`	Assign initial region
`GET`	`/residency/migration`	Current migration status
`POST`	`/residency/migrate`	Request region migration
`POST`	`/residency/migrate/:id/retry`	Retry a failed migration
`POST`	`/residency/migrate/:id/cancel`	Cancel a pending migration
`GET`	`/domain`	Get custom domain configuration
`POST`	`/domain`	Add a custom domain
`POST`	`/domain/verify`	Trigger DNS verification
`DELETE`	`/domain`	Remove custom domain

Troubleshooting

Admin page shows "not enabled" message

Cause: The feature requires a dependency that isn't configured — Audit Log and Token Usage need DATABASE_URL, Actions needs ATLAS_ACTIONS_ENABLED=true, Scheduled Tasks needs ATLAS_SCHEDULER_ENABLED=true.

Fix: Set the required environment variable and restart the server. The feature gate message on each page tells you exactly what's missing.

Cause: Your user account doesn't have the admin role, or authentication isn't configured.

Fix: In managed auth, have an existing admin promote your account via Admin > Users. In BYOT mode, ensure your JWT includes the correct role claim. In none auth mode, all users have implicit admin access.

Settings changes don't take effect

Cause: Some settings (Security, Agent) require a server restart, while others (Query Limits, Rate Limiting) apply immediately. The settings page shows a Live or Requires restart badge on each setting.

Fix: Check the badge next to the setting you changed. If it says Requires restart, restart the Atlas server for the change to apply. On app.useatlas.dev (SaaS mode), most settings are picked up on the next request without a restart — though infrastructure settings like LLM provider and model may require redeployment.

For more, see Troubleshooting.

Admin Console

On this page