First-time setup

Your IntelliAuth platform admin just provisioned a tenant for you. You signed in to the admin console at https://<tenant>-<org>.<your-domain>/admin. Everything looks empty. Six steps and you're production-ready.

Before you begin

Tenant admin access (you wouldn't be reading this otherwise)
Your team's domain (cymmetri.com or similar) so you can set email allowlists
A logo file + brand colours, if you want to brand before going live
30–60 minutes

1. Confirm the basics

On the Dashboard, look at the top-right tenant chip. It should show your tenant slug (e.g., production-cymmetri) and the region. If those are wrong, your platform admin provisioned the wrong tenant or you signed into the wrong one — fix before continuing.

2. Set the authentication policy

Authentication → Settings → Authentication policy.

Three decisions:

MFA enforcement — off / optional / required. Default to required for production tenants. Even if your developers grumble about the first sign-in.
Enrolment timing — first sign-in (greets users with a "set up your second factor" page), or on next sign-in after policy change. First-sign-in is the common pick.
Allowed methods — WebAuthn / TOTP / SMS / backup codes. WebAuthn + TOTP is the strong baseline; SMS as a fallback for users whose devices don't support either. Backup codes always on.

Save. The policy is live immediately for new sign-ins.

3. Set the password policy

Settings → Password policy.

Minimum length 12, require at least one character from each of: uppercase / lowercase / digit / symbol. Tighter than that is annoying without being meaningfully more secure; password managers solve length, not character classes.

Optional: connect a breached-password feed so the platform rejects passwords that appeared in public dumps. The dump matching is local — no password ever leaves the platform.

4. Set up branding

Branding.

Logo — upload your wordmark (SVG preferred; PNG @2x acceptable). Used on the sign-in page and in transactional emails.
Theme colour — pick your primary brand colour. The sign-in page applies it to buttons + links + focus rings.
Email templates — three templates ship out of the box: verification, recovery, OTP. The defaults are fine; tweak copy + sign-off if you want a more branded voice.

This is the cosmetic step; you can skip it now and come back.

5. Register your first application

Applications → New application.

Walk the Create an application guide. For a typical web app:

Name: what your users will see ("Cymmetri Banking Web").
Type: SPA for browser-only, Server-side if you have a backend doing the OAuth dance.
Redirect URIs: every URL the browser might come back to after sign-in. https://app.cymmetri.com/callback and http://localhost:5173/callback for local dev.
Allowed origins: every origin that calls your tenant from a browser fetch.
Audience: usually https://api.cymmetri.com.

Save. You get a client_id (and a client_secret if the type warrants one). Share the client_id with your developers; keep secrets server-side.

6. Invite your team

Members → Invite member. Email + role. The invitee receives a link; clicks it; sets up their tenant admin account. Two-line summary; full guide.

Start with a small set:

One or two Administrators (full control).
A few Operators (can view + perform routine ops; can't change tenant-wide policy).
Anyone else who needs read access as Viewer.

You can refine roles + scopes later.

You're up. Sign-in works. MFA is enforced. Your team is in. Branding looks like yours. Audit is logging every action you took.

What's next:

Add the user records your team actually needs. Users.
Set up the audit-log stream to your SIEM if you have one. Audit overview.
Add a first Action if you have any custom logic at sign-in (most tenants live without one for months). Flows overview.
Tighten threat intelligence if you serve consumer traffic. Threat overview.