TLE2E EncryptionTenantLevel
Operator enrollment

Register a new governed operator

The registration endpoint can accept a signed onboarding token for paid tenants, but it still follows the same session flow and cookie-backed authentication model.

Sign in insteadBootstrap tenant
Inputs
Username, email, password
Optional
Onboarding token for paid tenants
Output
Operator record or session
Policy
No tokens in localStorage
Use this path when a new operator is joining an existing tenant.
The backend validates every field and returns field-level errors for correction.
Successful registration returns the operator to sign-in unless the backend immediately issues a session.
Create access

Create a governed account

httpOnly cookie

Use the tenant identity you were issued or registered with.

Used for profile recovery and operational contact.

Passwords never leave the browser except inside the auth POST body.

Required only when joining a paid tenant from a bootstrap or operator upgrade flow.

The backend sets an httpOnly cookie. Claims are extracted server-side and limited operators are routed to My access until a tenant onboarding token or elevated claim set is present.

Enrolment posture

Registration is the controlled entry point for a new operator. If the backend rejects the payload, the form maps the validation messages back to the relevant fields and returns the operator to sign-in when the backend only creates the user record.

Continue to bootstrap