AdminWrapper is a config-driven admin layer for SaaS products. Connect to your existing database, auth provider, and integrations — get user management, feature flags, billing, analytics, and support wired up in one place.
* based on analysis of common admin panel patterns across user management, auth, billing, analytics, flags, and audit logging
Admin panels are the most-rebuilt, least-celebrated part of every SaaS. Same modules, same integrations, wired up again and again by every team.
User search, ban flows, password resets, RBAC — built fresh every time. Zero competitive advantage, pure infrastructure toil that shipping teams can never get back.
engineering_waste.tsStripe, Intercom, Mixpanel, LaunchDarkly — every team independently builds and maintains the same connectors. The plumbing is identical. The effort is never shared.
integration_hell.tsHomegrown panels rarely log who did what, when, or from where. SOC 2 audits and incident postmortems become painful exercises in reconstruction after the fact.
compliance_gap.tsRetool and Forest Admin are powerful but neither ships with actions pre-wired or integrations already connected. You're still building — just with a different UI on top.
retool_fatigue.tsfig. 1 — module & connector architecture
The same product. Two timelines. One team uses AdminWrapper on day one. The other builds from scratch.
adminwrapper.config.ts — point at your DB, auth provider, and integrationsAdminWrapper runs as an isolated sidecar process alongside your application. Zero changes to your existing codebase. Connect via a single config file pointing at your existing infrastructure.
Works with any Node.js backend — Next.js, Express, Fastify, NestJS, or standalone. Node 18+ required.
The CLI detects your stack, prompts for integrations, and writes adminwrapper.config.ts and your .env entries.
AdminWrapper runs as a sidecar on port 3001. Zero changes to your app. Hot-reloads when config changes.
Ship with a single command. Integrations connect via environment variables. Works with Docker, Railway, Render, and bare VMs.
import { defineConfig } from 'adminwrapper' export default defineConfig({ app: { name: 'My SaaS', url: 'https://app.mysaas.com', }, database: { adapter: 'postgres', url: process.env.DATABASE_URL, userTable: 'users', }, auth: { provider: 'supabase', serviceKey: process.env.SUPABASE_SERVICE_KEY, }, modules: { users: { enabled: true }, auth: { enabled: true }, featureFlags: { enabled: true }, billing: { enabled: true, // 'stripe' | 'paddle' | 'razorpay' provider: 'stripe', secretKey: process.env.STRIPE_SECRET_KEY, }, support: { enabled: true, provider: 'intercom', token: process.env.INTERCOM_TOKEN, }, analytics: { enabled: true, provider: 'mixpanel' }, auditLog: { enabled: true, retention: 90 }, notify: { enabled: true, provider: 'sendgrid' }, }, roles: [ { name: 'superadmin', permissions: ['*'] }, { name: 'support', permissions: ['users.read', 'users.reset', 'support.*'] }, { name: 'finance', permissions: ['billing.*'] }, { name: 'analyst', permissions: ['analytics.read'] }, ], })
Every module ships with real actions — not just data views. Ban a user, flip a flag, issue a refund, reset a password. All from a single panel your whole team can use.
Search, view, edit, impersonate, ban, delete. Email and username changes with full history.
Password resets, email changes, MFA management, OAuth unlinking, session revocation.
Built-in engine plus LaunchDarkly connector. % rollouts, cohort targeting, kill switches.
Funnels, retention, cohort analysis. Mixpanel, Segment, Amplitude pre-wired and ready.
Ticket history, in-app messages, full user context alongside every conversation.
Plan changes, refunds, invoice history, trial extensions. Stripe, Paddle, and Razorpay pre-wired.
Every admin action logged — actor, timestamp, IP, before/after values. Auto-enabled, always on.
Email, push, SMS to users or segments. SendGrid, Twilio, Firebase FCM integrated.
Superadmin, support, finance, analyst role templates with fine-grained permission overrides.
fig. 2 — users.module panel preview
AdminWrapper connects to your existing infrastructure via adapters and exposes a unified admin interface. Nothing touches your application code.
Connects to your existing database via a typed adapter. Inspects your user table schema at startup and maps operations to your actual column names — no migration, no new tables, no schema changes. Works with PostgreSQL, MySQL, MongoDB, Supabase, and PlanetScale.
Auth operations (password reset, email change, MFA revoke, session invalidation) execute directly against your auth provider's admin API using a service-level key. AdminWrapper never stores credentials — it proxies signed requests with full audit logging on every call.
Every integration implements the same typed Connector interface: read(), write(), and action(). The panel calls connectors at runtime — no data is synced, cached, or duplicated between AdminWrapper and your source systems.
Every write operation passes through audit middleware before execution. The record captures actor ID, session fingerprint, source IP, action type, target entity, before-state, after-state, and timestamp — stored in your own database. Exportable as JSON or CSV.
The feature flag module ships with a built-in evaluation engine — no LaunchDarkly account required. Target by user ID, email domain, plan, cohort, or a random percentage of traffic.
Toggle flags from the panel without a code deploy. Flip a kill switch in seconds if something goes wrong in production.
fig. 3 — flags.module + audit.module · toggles are interactive
AdminWrapper ships with connectors already built — not docs telling you how to build them yourself. Connect via config file or environment variables. No plumbing code required.
adminwrapper.config.tsConnector interface, handles API auth internallyAdminWrapper isn't opinionated about your product shape. Whether you're a solo founder who needs a working admin panel by tomorrow, a B2B company managing enterprise orgs, or a compliance team that needs every action logged — the same modules serve all of it.
The role system adapts to your team structure. Your support agent gets read access and reset actions. Your finance team sees billing. Your superadmin sees everything. Configured in one file.
Launch with a full admin panel on day one. Never rebuild user management for the third project in a row. The setup means you're back to building your actual product the same day.
Give your support team tools from day one — password resets, account management, refund handling — without burning an engineering sprint on internal tooling that generates zero revenue.
Run A/B tests, roll out features to specific cohorts, and flip flags without a code deploy. PMs control releases independently — engineering stays focused on building product.
Every admin action auto-logged with timestamps, IPs, and actor IDs from day one. SOC 2 and GDPR audits become straightforward — no retroactive logging, no coverage gaps.
Manage buyers, sellers, and moderators with different permission levels. Handle disputes, refunds, and account reviews from a single unified panel across both sides of the market.
Manage organisations as first-class entities. See feature adoption per org, upgrade or downgrade plans, and send targeted messages to accounts showing churn signals.
Monitor API usage per customer, manage rate limits, issue and revoke tokens — without building a custom developer dashboard from scratch alongside your actual product.
Moderate users at scale. One-click bans, username changes, trust level assignments, and warning systems — all prebuilt with a complete audit trail for every moderation decision.
Existing tools either require too much setup, cover only part of the admin surface area, or cost too much for early-stage teams. AdminWrapper is purpose-built for this specific problem.
Retool is a low-code builder — you still build the admin panel yourself, just with a visual editor. It doesn't ship with modules prebuilt or integrations pre-wired. AdminWrapper gives you a working panel from a config file, not a drag-and-drop session.
Forest Admin generates UI from your database schema. It's the closest existing alternative but still requires schema-specific configuration, doesn't ship integrations pre-wired, and starts at $50+/month — too expensive for early-stage teams.
The real alternative is building it yourself — again. It takes 3–6 weeks of senior engineering time, misses features like audit logs and feature flags, and creates ongoing maintenance. AdminWrapper offloads that permanently.
| Feature | AdminWrapper | Retool | Forest Admin | In-house |
|---|---|---|---|---|
| Working panel from config | ✓ Yes | ✗ Days | ✗ Hours | ✗ Weeks |
| Integrations pre-wired | ✓ 20+ | ~ Build | ~ Partial | ✗ Scratch |
| Actions (not just views) | ✓ Full | ~ DIY | ✓ Yes | ~ If built |
| Audit log always on | ✓ Always | ✗ Manual | ✓ Yes | ✗ Rarely |
| Feature flag module | ✓ Built in | ✗ No | ✗ No | ~ External |
| Self-hostable, MIT licensed | ✓ MIT | ✗ Cloud | ✗ Cloud | ✓ Yes |
| RBAC role templates | ✓ Prebuilt | ~ DIY | ~ Custom | ✗ Build |
| No per-seat pricing | ✓ None | ✗ $10+ | ✗ $50+ | ✓ N/A |
AdminWrapper connects to your auth provider, database, and payment processor using service-level credentials. Here's exactly what happens — and doesn't happen — with them.
API keys and service tokens are stored as environment variables on your server — never transmitted to AdminWrapper servers, never logged, never written to the config file that goes into version control. The .env file is gitignored by default on init.
AdminWrapper is a sidecar — every read is live from your source, every write goes directly to your destination. No user records, payment data, or event data is cached. If you remove AdminWrapper, nothing needs to be migrated or deleted.
The setup wizard requests only the minimum scopes each integration requires. Stripe read-only for invoice viewing, Stripe write only if billing actions are enabled. Each connector documents exactly which permissions it needs and why.
AdminWrapper ships with its own auth layer. Admins log in via SSO (Google, GitHub) or email magic link. Sessions are short-lived. Sensitive actions (ban, delete, refund) require re-authentication or MFA confirmation per session.
There is no way to perform a write operation in AdminWrapper without it being logged. The audit trail is append-only, stored in your own database, and cannot be disabled. If an admin account is compromised, the full blast radius is reconstructable.
AdminWrapper runs on a separate port (default: 3001) and can be placed behind an internal VPN or IP allowlist with a single config flag. The panel is designed to never be on the public internet.
We take security reports seriously. Use the contact form below to report a vulnerability and we'll respond within 24 hours.
The technical spec that defines what AdminWrapper must be, how it behaves, and what's explicitly out of scope for v1.
TypeScript monorepo. Node 18+. Prisma-compatible adapter layer. Fastify under the hood. Runs as a standalone sidecar — no framework coupling.
Runs anywhere Node runs. Ships as a Docker image. Deploy to Railway, Render, Fly.io, or bare EC2. One env file. One command.
Every module is a plugin. Every integration is a connector package. Override any default behaviour through the config file.
Self-host it free, forever. Upgrade for managed hosting, SSO, and enterprise compliance. No per-seat pricing — ever.
Self-hosted. MIT license. Full source. Every module, every connector, no restrictions on usage or team size.
Managed hosting, zero ops. For teams that want to move fast without maintaining self-hosted infrastructure.
For products with compliance requirements, dedicated SLAs, and bespoke integration needs at scale.
No. AdminWrapper is priced per installation, not per admin user. Add as many team members as you need — support agents, engineers, finance — no extra charge.
AdminWrapper is a sidecar — it reads from and writes to your own infrastructure. We never store your user data. The audit log lives in your database. You own everything.
Yes. The open-source version includes all core modules and connectors. SSO, managed hosting, and SLAs are Cloud and Enterprise tier features. The MIT license lets you do whatever you want with the source.
Cloud hosting is planned for Phase 3 of the roadmap (~Q4 2026). Join the waitlist via the early access form and we'll notify you when it launches.
Every phase ships something useful on its own. The goal isn't feature completeness — it's making each release the thing you actually need right now.
The foundational modules every SaaS needs. Connect your DB, get a working panel with search, ban, impersonate, and auth reset. The audit log is on from the first action.
Expand with the integrations teams waste the most time rebuilding. Stripe, Intercom, Mixpanel, and Razorpay — wired up, not just documented.
The embedded feature flag engine — no external service required. Cloud managed hosting tier launches for teams who don't want to self-host.
SOC 2 tooling, SAML SSO, and a connector registry enabling third-party integrations beyond the core set.
AI-powered layer on top — unusual admin behaviour flagged automatically, at-risk accounts surfaced, natural language search across your user base.
AdminWrapper is in active development. Phase 1 (core user management, auth, RBAC, and audit modules) is the current focus. Early access requests are open for design partners who want to use it against real data and shape the product.
From scoped spec to production-ready release. Fast enough to stay ahead of the feedback loop, slow enough to ship things that actually work without edge-case landmines.
We're looking for a small cohort of teams to use AdminWrapper against real production data during development. In exchange you get direct input on priorities, early access, and a seat on the product decision loop. Request access →
The core will always be MIT licensed and self-hostable. Paid features are operational — managed hosting, SLAs, enterprise SSO — not product features locked behind a paywall.
AdminWrapper is under active development. Request early access to be part of the first design partner cohort and shape the product.
// MIT licensed · self-hosted or cloud · Node 18+ · TypeScript-first