Onboarding & Account Setup
Everything that happens between "Sign up" and your first campaign send
The Three Sign-Up Paths
Superkabe supports three ways to create an account. The path you take depends on what kind of email address you sign up with — the backend branches on Google's hd (hosted-domain) claim to decide whether your organization can be auto-derived or whether we need to ask you to name it.
Path Selection at a Glance
1. Email + Password
The classic flow. Visit /signup and submit three things: email, password, and an organization name. The backend creates a User and Organization row, hashes your password, sends a verification email via Resend, and sets your JWT cookie. You land on the dashboard immediately — verifying your email later is a soft requirement.
2. Google OAuth — Workspace Account
If you sign in with Google and your account is on a custom domain managed by Google Workspace, Google returns an hd claim with your domain (e.g. acme.com). Superkabe treats that domain as the canonical organization identity: it derives an org name from the domain, creates the org and user, issues your JWT, and redirects to /dashboard. No extra step.
3. Google OAuth — Personal Gmail
If your Google account is a plain @gmail.com address, Google sends back hd: undefined. The backend creates a PendingRegistration record (encrypted tokens, 10-minute TTL) and bounces you to /onboarding. That page asks for one thing: a name for your organization. Once submitted, the backend reads back the pending record, creates the User + Organization, issues your JWT, deletes the pending row, and lands you on /dashboard.
Why Personal Gmail Goes Through /onboarding
A Workspace account has a verified domain, and that domain is what Superkabe uses as the organization's identity (it's also what we'll later attach mailboxes, DNS records, and team members to). A personal Gmail address has no such domain — every gmail.com user shares the same root domain, so we can't derive anything meaningful from it.
Without an explicit naming step, every gmail.com signup would either crash on a uniqueness constraint or default to a generic placeholder like "Personal" — both bad UX. The pending-registration handoff is the cleanest fix: we hold the verified Google identity for 10 minutes while you finish naming your org, then commit everything in a single transaction.
OAuth Decision Flow
Google OAuth callback
│
▼
Inspect googleUser.hd
│
┌────┴─────────────┐
│ │
▼ ▼
hd = "acme.com" hd = undefined
(Workspace) (Personal Gmail)
│ │
▼ ▼
Derive org name Create PendingRegistration
from domain (encrypted tokens, 10-min TTL)
│ │
▼ ▼
Create User+Org Redirect → /onboarding
Issue JWT │
│ ▼
▼ User submits org name
/dashboard │
▼
Read pending → create User+Org
Issue JWT, delete pending
│
▼
/dashboardWhat Happens During Sign-Up
Regardless of which path you take, the backend runs the same six steps inside a single transaction:
- Account creation: A User row and an Organization row are inserted into Postgres. The User is linked to the Organization with role
admin. - Trial activation:
subscription_tier=trial,subscription_status=trialing,trial_started_at=now(),trial_ends_at=now() + 14 days. No card required. - Default Slack alert preferences: A row is seeded so that when you connect Slack later, the standard event types (pause, rotation, healing, threshold breach) are already enabled.
- Consent records: Two append-only rows are written to
audit_consent— one for ToS, one for Privacy — each tagged with version number, IP, and user-agent. - Welcome email: Sent via Resend if
RESEND_API_KEYis configured. If not, the signup still succeeds — the email is best-effort. - JWT cookie: Httponly, secure, SameSite=Lax. Browser is redirected to
/dashboard.
Terms of Service & Privacy Acceptance
Both signup paths require accepting the current ToS and Privacy versions before the account is created. The backend rejects any signup that doesn't carry the correct version numbers in its payload — the checkboxes on the form aren't cosmetic.
Acceptance is recorded as two rows in audit_consent, one per document, with the version number, document path, IP, user-agent, and timestamp. The table is append-only — we never mutate or delete consent records.
Re-Acceptance on Version Bump
If we publish a new ToS or Privacy version, the next time you log in the requireFreshConsent middleware detects the version mismatch and shows a re-acceptance modal before letting you into the dashboard. Your old consent rows stay intact — a new row is appended for the new version.
First-Time Setup Checklist
Once you're on the dashboard, here's what to do in your first thirty minutes — in order:
- Connect at least one mailbox. Settings → Mailboxes → Connect Gmail / Outlook / SMTP. Without a connected mailbox, nothing else works.
- Verify DNS for your sending domain. SPF, DKIM, DMARC must all pass. See the DNS setup guide.
- Connect Slack for alerts. Strongly recommended — protection events are useless if nobody sees them. Slack integration guide.
- Bring in your leads. Pick one: a Clay webhook, a CSV upload, or the API.
- Choose a system mode.
OBSERVE(logs only, for testing),SUGGEST(recommendations, no action), orENFORCE(full automated protection). Start in OBSERVE. - Create your first campaign. Draft a sequence, attach a routing rule, and let leads flow in.
Trial Mechanics
Every new account starts on a 14-day trial with no credit card required. During the trial you have full access to the platform — connect mailboxes, run campaigns, use protection in ENFORCE mode, everything.
When the trial ends and you haven't picked a plan, the account auto-downgrades to a trial-expired state. Sending is blocked (the sequencer refuses to dispatch new emails) but reading is not — you can still log in, view dashboards, and download data. An upgrade prompt appears throughout the UI pointing to /pricing.
Trial State Reference
subscription_tier=trialsubscription_status=trialing— active trial, full accesssubscription_status=trial_expired— read-only, sending blockedsubscription_status=active— paid, full access
Account Roles
When you sign up, you are the only user in your organization, with role admin. Add team members at /dashboard/settings/team.
Role Hierarchy
- super_admin— Superkabe staff only. Cross-org access for support. Never granted to customer accounts.
- admin— Full access to the org: billing, mailboxes, campaigns, team, settings. The signup user gets this by default.
- member— View-only by default. Per-resource permissions (campaigns, mailboxes, leads) are configurable by an admin.
Troubleshooting Common Signup Issues
"OAuth callback redirected me to the landing page"
Known issue: /onboarding wasn't whitelisted in the auth middleware, so personal-Gmail users were bounced back to /. Fixed in commit 37a1a2e on April 29, 2026. If you're still seeing it, hard-refresh and retry — your PendingRegistration is valid for 10 minutes.
"I clicked authorize but never got the welcome email"
Check your spam folder. If it's genuinely missing, sign back in at /login with the same Google account — the welcome email will resend on the next successful login if it failed the first time.
"Workspace signup created the wrong organization name"
The org name is derived from your Workspace domain (e.g. acme.com → "Acme"). Admins can rename at /dashboard/settings/general at any time — the rename is cosmetic and doesn't affect mailbox or DNS configuration.
"I don't have a custom domain"
Personal Gmail works fine for signup — you'll just be prompted to name your organization at /onboarding. You can connect any sending mailbox (Gmail, Outlook, SMTP) afterwards, regardless of which Google account you used to sign up.