UserSpice
Home / Site Settings

Site Settings

This page walks through every option on Admin Dashboard → Settings → General, in the same order you see them in the dashboard. Registration-specific options live on a separate page; email setup lives under Email Settings.

  1. 01 General

    General Settings

    Free API Key

    Paste your UserSpice API key here to unlock auto-updates, bug reports, and Spice Shaker. Grab one for free from bugs.userspice.com. The Get One Here link beside the field walks you through the process.

    Site Name

    Used in the <title> tag, the maintenance page, system emails, and as the label your users see in their TOTP authenticator app. Pick something that's distinctly yours so the TOTP entry isn't just "UserSpice."

    Copyright Message

    Rendered at the bottom of every page. UserSpice automatically prepends the © symbol and the current year, so you only need the rest — typically your organization name.

    Error Message Timeout

    How long, in seconds, the red error/warning bar at the top of the page stays visible after a redirect with an err= or msg= in the URL. Set to 0 to leave the message up until the user dismisses or navigates away.

    Max Users Before Search Engine Turns On

    The User Manager uses DataTables for client-side sorting/filtering, which gets sluggish past a few thousand users. When your user count exceeds this number, UserSpice swaps in a server-side search instead. The current user count is shown next to the field as a reference.

    Social Login Location

    Whether OAuth / Passkey buttons render at the top or bottom of your login and registration forms. Cosmetic only.

    Maintenance Mode (Site Offline)

    Flips the entire site into maintenance mode. Anyone in the default Administrator permission level (ID 2) and any user listed in $master_account stays logged in and sees a banner; everyone else is logged out and redirected to the maintenance page until you turn it off again.

  2. 02 Templates & nav

    Templates & Navigation

    Enable Database-Driven Navigation

    Switches between the older file-based navigation (hard-coded in the template) and the newer database-driven menu, which you can edit live from the dashboard. Most modern templates expect database-driven nav.

    Main Div Class

    The CSS class applied to the wrapping <div> around your page content — typically container or container-fluid in Bootstrap-based templates. You can stack multiple classes with spaces. Not every template honors this; ones that hard-code their wrapper ignore it.

  3. 03 Security

    Security

    Force HTTPS Connections

    Redirects any HTTP request to HTTPS. Verify your SSL certificate is valid and installed before flipping this on — if HTTPS doesn't actually work, you'll lock yourself out of the dashboard. The Security Dashboard's HTTPS check confirms it's safe to enable.

    Force Password Reset (button)

    This isn't really a setting — it's a one-shot action. Clicking it sets force_pr = 1 on every user in the database, including you. The next time anyone logs in, they're locked on the user-settings page until they change their password. Use it after a credential leak, or to enforce a fresh password rotation.

    Enable User Permission Restrictions

    When on, an admin can only grant or revoke permission levels they themselves possess. Useful when you delegate user management to staff but don't want them handing out permissions higher than their own. Levels they can't manage still appear in the UI but with the controls disabled. Keep page administration restricted to level 2 (Administrator) or this can be sidestepped from there.

    Enable Page Permission Restrictions

    Allows only one permission level per page. The page-permissions UI changes from checkboxes to radio buttons, and the permission-level UI refuses to add a level that's already in use elsewhere. Helpful when you want strict, non-overlapping role hierarchies (User → User Manager → Database Manager → Admin) where a page belongs to exactly one role.

    New Pages Default to "Private"

    When a brand-new page is detected by the page scanner, it gets created with no permission levels assigned, which means only Administrators can see it. Turn this off if you want new pages to default to public.

    Only Allow Cron Jobs From This IP

    Restricts UserSpice's cron endpoints to a single source IP address. Leave it blank to accept cron requests from anywhere (you'll usually want to lock this to your server's own IP, or to whatever box is firing your cron). Pairs well with the cron token system.

  4. 04 User & auth

    User Settings

    Enable Passkeys

    WebAuthn / Passkey login. The user's identity is held by a credential on their own device (Touch ID, Face ID, hardware key, etc.) instead of a password on your server. Requires PHP 8.2+ and a defined PASSKEY_RP_ID in users/init.php — the Security Dashboard will write the right RP ID for your host automatically. If either prerequisite is missing, the toggle is replaced with a disabled message explaining why.

    Enable TOTP (Two-Factor Authentication)

    Lets users add a TOTP authenticator (Google Authenticator, 1Password, Authy, etc.) to their account. Three modes: Disabled, Optional (each user decides), or Required (everyone must enroll on next login). Requires PHP 8.2+ and a working crypto backend (sodium, or OpenSSL with AES-256-GCM). The indicator beside the label tells you whether encryption is ready.

    Password Logins

    Three options: Enabled (normal username/password login), Disabled (passwords are off entirely — make sure you have OAuth, Passkey, or email login working first, or you'll lock yourself out), or Disabled except localhost (passwords still work from 127.0.0.1 or ::1, useful if you need a break-glass admin login on the server itself).

    Passwordless Code Length

    Number of characters in the one-time code emailed to users when they use the email-code login flow. Range is 4–12. Longer is harder to guess but more annoying to type.

    Allow Passwordless Logins

    Email-based login. Four options: Disabled, Magic link (user clicks a link in their email), Code (user types the code from their email back into the form), or Either. The code option is recommended if your users sit behind aggressive antivirus/email-security tools that "preview" links — that preview can consume the magic link before the user gets to it. Verification URLs come from your Email Settings; debug overrides live in usersc/scripts/passwordless_login_overrides.php.

    Force Password Reset on Manual Creation

    When you create a user from the admin panel, they're flagged with force_pr = 1 and emailed a reset link. The password you typed in the form gets ignored. Useful so you never know your users' actual passwords.

    Redirect After Login

    The path users land on after a successful login. Admins are redirected to the dashboard instead unless you intercept that with code in usersc/scripts/custom_login_script.php.

    echouser Function

    Controls the format of the echouser() helper. Choices include FName LName, Username, Username (FName LName), Username (FName), and FName + first initial of LName. If echouser() can't find the user, it returns "Deleted." Use echousername() if you specifically want the username regardless of this setting.

    Enable OAuth Server

    Turns this UserSpice install into a centralized OAuth provider so other apps (other UserSpice sites, WordPress, anything that speaks OAuth 2.0) can authenticate users against it. Configure clients under the developer/API screens once enabled.

  5. 05 Debug

    Debug Mode

    Writes much more detail to the logs — form submissions, database queries, redirects. Three modes:

    • 0Off — normal logging.
    • 1User ID 1 only — debug logs only fire for the original master user. Safe for production: regular users don't generate the noise.
    • 2Everyone — every request logs. Useful for chasing intermittent bugs but generates a lot of data fast. Don't leave this on long-term.

    Debug logs have their own viewer at Admin → Logs → Debug Mode.

  6. 06 Language

    Language

    Default Language

    The dropdown is built from the files in users/lang/, so any language pack you drop into that folder shows up automatically. Additional language packs are available at userspice.com/translations.

    Allow Users to Change Their Language

    When on, logged-in users can pick their own language in their account settings, and visitors can change it for their session. When off, everyone is stuck with the default.

  7. 07 Updates

    Update Track

    Which channel UserSpice pulls updates from. Three options:

    • Production (Stable) — only fully released updates. Recommended for any production site.
    • Bleeding Edge (Beta / Early Release) — preview upcoming releases. Great for kicking the tires on a staging site.
    • Experimental (In Development) — the riskiest channel; features that are still under construction. Use this only on a throwaway install where you can break things.