Skip to content

Adding a SafeWatch Account

SafeWatch accounts are stored in appsettings.json. There is no UI for account management.

Step 1: Generate a BCrypt hash

Use the .NET REPL or a script:

// In a .NET project or csharp REPL:
using BCrypt.Net;
Console.WriteLine(BCrypt.HashPassword("your-password-here", workFactor: 12));

Or use the online tool at bcrypt.online (only for non-production passwords).

Warning

Use work factor 12 for production. Work factor 4 is only for test/dev (faster CI).

Step 2: Add the account to appsettings.json

Open SimCopilot.Api/src/SimCopilot.Api/appsettings.json:

{
  "SafeWatch": {
    "Accounts": [
      { "Username": "sysadmin", "PasswordHash": "$2a$12$...", "Role": "sys_admin" },
      { "Username": "newuser",  "PasswordHash": "$2a$12$...", "Role": "product" }
    ]
  }
}

Valid roles: sys_admin, product, support, ceo.

Step 3: Redeploy

Restart the API for the change to take effect. On Railway, push the config change to main and the deployment will restart automatically.

Removing an Account

Delete the account entry from the SafeWatch:Accounts array in appsettings.json and redeploy.

Note

Active sessions using a removed account will expire within 4 hours (the cookie TTL). There is no forced logout mechanism in V1.

Password Reset

To change a password: generate a new BCrypt hash and update PasswordHash in appsettings.json. Redeploy. The user must log in again after their current session expires.