docs: document ALLOW_SIGNUPS for self-hosted instances

package.json

@@ -34,7 +34,7 @@
     "next-sitemap": "^4.2.3",
     "postcss": "^8.4.31",
     "postcss-focus-visible": "^6.0.4",
-    "posthog-js": "^1.342.1",
+    "posthog-js": "^1.372.4",
     "react": "18.2.0",
     "react-dom": "18.2.0",
     "react-highlight-words": "^0.20.0",

public/access-control/authentication.md

@@ -24,6 +24,8 @@ User authentication in Phase is designed for seamless and secure web access. Pha
 
 Email and password authentication is available by default with no additional configuration. Users can sign up with their email address and a password, verify their email, and log in.
 
+On self-hosted instances, operators can require an invite for any new account by setting [`ALLOW_SIGNUPS=false`](/self-hosting/configuration/envars#sign-ups). Existing users keep signing in normally; only self-service sign-up is gated.
+
 
 <div className="not-prose">
   <Button

public/self-hosting/configuration/envars.md

@@ -350,6 +350,33 @@ Env(s) required by the following containers:
 
 ---
 
+## Sign-ups
+
+Self-service sign-up is **on by default** so a fresh self-hosted instance can be bootstrapped without extra configuration. Once your team is fully onboarded, set `ALLOW_SIGNUPS=false` and restart to close the door on strangers — invites continue to work, and existing users keep signing in normally.
+
+<Properties>
+  <Property name="ALLOW_SIGNUPS" type="boolean (Optional)">
+    Whether new users can sign themselves up. Defaults to `true`.
+
+    Set to `false` (or `0` / `no`) to require an [invite](/access-control/users) for any new account. The gate applies to both password sign-up and first-time SSO sign-in for an unrecognised email — invited emails always pass through, since the invite is the operator's affirmative consent for that address.
+
+    What is **not** affected:
+    - Existing users continue to sign in via password or SSO.
+    - Password change and recovery flows for existing users.
+    - Invite acceptance — the whole point of disabling self-signup is to keep this as your sole on-ramp.
+
+    Frontend behaviour when disabled: the login and sign-up pages render normally. The backend rejects stranger sign-ups with a `403` and the toast message *"Sign-ups are disabled on this instance. Ask an administrator to invite you."* — invitees with a pending invite for that email pass through.
+
+    Reversible at any time without data migration. Referenced by the [`frontend`](https://hub.docker.com/r/phasehq/frontend) and [`backend`](https://hub.docker.com/r/phasehq/backend) containers.
+  </Property>
+</Properties>
+
+<Note>
+For org-level access control beyond signup gating — e.g. enforcing that everyone in your organisation must sign in via your IdP — configure [organisation SSO](/access-control/authentication/sso) instead. `ALLOW_SIGNUPS` is the instance-wide gate; SSO enforcement is per-org.
+</Note>
+
+---
+
 ## Password authentication
 
 Password authentication is available by default with no additional configuration.

src/pages/access-control/authentication/index.mdx

@@ -24,6 +24,8 @@ User authentication in Phase is designed for seamless and secure web access. Pha
 
 Email and password authentication is available by default with no additional configuration. Users can sign up with their email address and a password, verify their email, and log in.
 
+On self-hosted instances, operators can require an invite for any new account by setting [`ALLOW_SIGNUPS=false`](/self-hosting/configuration/envars#sign-ups). Existing users keep signing in normally; only self-service sign-up is gated.
+
 
 <div className="not-prose">
   <Button

src/pages/self-hosting/configuration/envars.mdx

@@ -350,6 +350,33 @@ Env(s) required by the following containers:
 
 ---
 
+## Sign-ups
+
+Self-service sign-up is **on by default** so a fresh self-hosted instance can be bootstrapped without extra configuration. Once your team is fully onboarded, set `ALLOW_SIGNUPS=false` and restart to close the door on strangers — invites continue to work, and existing users keep signing in normally.
+
+<Properties>
+  <Property name="ALLOW_SIGNUPS" type="boolean (Optional)">
+    Whether new users can sign themselves up. Defaults to `true`.
+
+    Set to `false` (or `0` / `no`) to require an [invite](/access-control/users) for any new account. The gate applies to both password sign-up and first-time SSO sign-in for an unrecognised email — invited emails always pass through, since the invite is the operator's affirmative consent for that address.
+
+    What is **not** affected:
+    - Existing users continue to sign in via password or SSO.
+    - Password change and recovery flows for existing users.
+    - Invite acceptance — the whole point of disabling self-signup is to keep this as your sole on-ramp.
+
+    Frontend behaviour when disabled: the login and sign-up pages render normally. The backend rejects stranger sign-ups with a `403` and the toast message *"Sign-ups are disabled on this instance. Ask an administrator to invite you."* — invitees with a pending invite for that email pass through.
+
+    Reversible at any time without data migration. Referenced by the [`frontend`](https://hub.docker.com/r/phasehq/frontend) and [`backend`](https://hub.docker.com/r/phasehq/backend) containers.
+  </Property>
+</Properties>
+
+<Note>
+For org-level access control beyond signup gating — e.g. enforcing that everyone in your organisation must sign in via your IdP — configure [organisation SSO](/access-control/authentication/sso) instead. `ALLOW_SIGNUPS` is the instance-wide gate; SSO enforcement is per-org.
+</Note>
+
+---
+
 ## Password authentication
 
 Password authentication is available by default with no additional configuration.

yarn.lock

@@ -549,17 +549,17 @@
   resolved "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz"
   integrity sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==
 
-"@posthog/core@1.20.1":
-  version "1.20.1"
-  resolved "https://registry.yarnpkg.com/@posthog/core/-/core-1.20.1.tgz#bb5e291bf59aad4bdecb9ed5d1802d297d809c1d"
-  integrity sha512-uoTmWkYCtLYFpiK37/JCq+BuCA/OZn1qQZn5cPv1EEKt3ni3Zgg48xWCnSEyGFl5KKSXlfCruiRTwnbAtCgrBA==
+"@posthog/core@1.27.8":
+  version "1.27.8"
+  resolved "https://registry.yarnpkg.com/@posthog/core/-/core-1.27.8.tgz#1f37e03113eeff574f3cbf793ab392e8dbb8fa32"
+  integrity sha512-zsfDm8oL8TmHKipCw3/f12up8pI8xitecPfsrtMiRigeAfonvk07CLW/WaiNxRVvrmgXE12xthmaMEaCrziOIQ==
   dependencies:
-    cross-spawn "^7.0.6"
+    "@posthog/types" "1.372.4"
 
-"@posthog/types@1.342.1":
-  version "1.342.1"
-  resolved "https://registry.yarnpkg.com/@posthog/types/-/types-1.342.1.tgz#a4d5f7b44539641e910f36818fd4b6aa41022a2f"
-  integrity sha512-bcyBdO88FWTkd5AVTa4Nu8T7RfY0WJrG7WMCXum/rcvNjYhS3DmOfKf8o/Bt56vA3J3yeU0vbgrmltYVoTAfaA==
+"@posthog/types@1.372.4":
+  version "1.372.4"
+  resolved "https://registry.yarnpkg.com/@posthog/types/-/types-1.372.4.tgz#dcec1864702a757b5933fb0f2f6c2c224443d41d"
+  integrity sha512-BWLXdMbrePQX/Q1hohbbxBr9EHEgnZroUX0ivx42HCzBisbYXDtuHGF4xaojapYVby1LtWVI6pa1CDx1HOZSyA==
 
 "@protobufjs/aspromise@^1.1.1", "@protobufjs/aspromise@^1.1.2":
   version "1.1.2"
@@ -1720,15 +1720,6 @@ cross-spawn@^7.0.0, cross-spawn@^7.0.2:
     shebang-command "^2.0.0"
     which "^2.0.1"
 
-cross-spawn@^7.0.6:
-  version "7.0.6"
-  resolved "https://registry.yarnpkg.com/cross-spawn/-/cross-spawn-7.0.6.tgz#8a58fe78f00dcd70c370451759dfbfaf03e8ee9f"
-  integrity sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==
-  dependencies:
-    path-key "^3.1.0"
-    shebang-command "^2.0.0"
-    which "^2.0.1"
-
 cssesc@^3.0.0:
   version "3.0.0"
   resolved "https://registry.npmjs.org/cssesc/-/cssesc-3.0.0.tgz"
@@ -2211,10 +2202,10 @@ dompurify@^3.2.5:
   optionalDependencies:
     "@types/trusted-types" "^2.0.7"
 
-dompurify@^3.3.1:
-  version "3.3.1"
-  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.3.1.tgz#c7e1ddebfe3301eacd6c0c12a4af284936dbbb86"
-  integrity sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q==
+dompurify@^3.3.2:
+  version "3.4.1"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-3.4.1.tgz#521d04483ac12631b2aedf434a5f5390933b8789"
+  integrity sha512-JahakDAIg1gyOm7dlgWSDjV4n7Ip2PKR55NIT6jrMfIgLFgWo81vdr1/QGqWtFNRqXP9UV71oVePtjqS2ebnPw==
   optionalDependencies:
     "@types/trusted-types" "^2.0.7"
 
@@ -5165,20 +5156,20 @@ postcss@^8.4.31:
     picocolors "^1.1.1"
     source-map-js "^1.2.1"
 
-posthog-js@^1.342.1:
-  version "1.342.1"
-  resolved "https://registry.yarnpkg.com/posthog-js/-/posthog-js-1.342.1.tgz#9c030513104c39a0c7413c54b7e1134bca21a1e5"
-  integrity sha512-mMnQhWuKj4ejFicLtFzr52InmqploOyW1eInqXBkaVqE1DPhczBDmwsd9MSggY8kv0EXm8zgK+2tzBJUKcX5yg==
+posthog-js@^1.372.4:
+  version "1.372.4"
+  resolved "https://registry.yarnpkg.com/posthog-js/-/posthog-js-1.372.4.tgz#cbeb515351f98818b2f1088fef21a4bfdff7fc56"
+  integrity sha512-dQssG6hvRsC7noZYJvU3ETwege6tuLWtIO4hfYyCawbMmrGjGfNiwHXqsaXr7VMUturHZ86OVVkP1awLfn3JLg==
   dependencies:
     "@opentelemetry/api" "^1.9.0"
     "@opentelemetry/api-logs" "^0.208.0"
     "@opentelemetry/exporter-logs-otlp-http" "^0.208.0"
     "@opentelemetry/resources" "^2.2.0"
     "@opentelemetry/sdk-logs" "^0.208.0"
-    "@posthog/core" "1.20.1"
-    "@posthog/types" "1.342.1"
+    "@posthog/core" "1.27.8"
+    "@posthog/types" "1.372.4"
     core-js "^3.38.1"
-    dompurify "^3.3.1"
+    dompurify "^3.3.2"
     fflate "^0.4.8"
     preact "^10.28.2"
     query-selector-shadow-dom "^1.0.1"