Skip to content

Portal access — step-by-step setup for all users

Goal: Give every team role (trustees, mentors, students, parents, Omesh) access to both portals using email and password.


Portal 1: portal.stemracing.us (STEM Racing official)

No setup needed. This portal is public — no login required. Everyone can access training, rules, and competition info by visiting the URL directly.

Share these links with all team members:

Resource URL
Portal home https://portal.stemracing.us
Rules & regulations https://portal.stemracing.us/rules
Virtual training guide https://portal.stemracing.us/virtual-training-guide
Acing your interviews https://portal.stemracing.us/virtual-training/acing-your-interviews
Competition classes https://www.stemracing.us/competition-classes

Competition registration (when open for 2026–27 season): Follow steps on https://portal.stemracing.us under "Competition Information." Registration typically requires the lead adult (Alex) to register the team. Students do not need individual accounts.


Portal 2: docs.apexstem.org (internal wiki)

This requires setup. Currently: Cloudflare Access with One-time PIN, only ~3 trustees.

Target state: Email/password login for all roles, with access scoped by role.

Understanding your options

Cloudflare Access does not have a built-in email/password database. It delegates authentication to an identity provider (IdP). Your options for email/password:

Option What users see Setup time Cost Best for
Auth0 (recommended for email/password) Standard email/password login form ~30 min Free (up to 25,000 monthly users) Any user with any email address
One-time PIN (current) Enter email → get 6-digit code Already done Free Small groups, backup method

Recommendation: Set up Auth0 as the primary login (true email/password) with One-time PIN as backup. This gives every user a standard login form regardless of email provider.


Step 1: Create an Auth0 tenant (free) — ~10 min

  1. Go to auth0.com and sign up (or log in).
  2. Create a new tenant — name it something like apexstem.
  3. Your tenant domain will be: apexstem.us.auth0.com (or similar).

Step 2: Create an Auth0 application — ~5 min

  1. In Auth0 dashboard → ApplicationsApplicationsCreate Application.
  2. Name: Apex STEM Wiki
  3. Type: Regular Web Application
  4. Click Create.
  5. Go to the Settings tab. Note these values (you'll need them for Cloudflare):
  6. Domain (e.g., apexstem.us.auth0.com)
  7. Client ID
  8. Client Secret
  9. Scroll to Allowed Callback URLs and add:
https://apexstem.cloudflareaccess.com/cdn-cgi/access/callback

(Replace apexstem with your Cloudflare team name — find it at Cloudflare One → Settings → Team name.)

  1. Click Save Changes.

Step 3: Note the Auth0 OIDC endpoints — ~2 min

From your Auth0 tenant domain, the endpoints are:

Field (in Cloudflare) Auth0 URL
Auth URL https://apexstem.us.auth0.com/authorize
Token URL https://apexstem.us.auth0.com/oauth/token
Certificate URL https://apexstem.us.auth0.com/.well-known/jwks.json

(Replace apexstem.us.auth0.com with your actual Auth0 tenant domain.)

You can verify all endpoints at: https://apexstem.us.auth0.com/.well-known/openid-configuration

Step 4: Add Auth0 as an IdP in Cloudflare Access — ~5 min

  1. Go to one.dash.cloudflare.com.
  2. Sidebar → IntegrationsIdentity providers (or SettingsAuthentication).
  3. Add new identity providerOpenID Connect (the generic OIDC option).
  4. Fill in:
Field Value
Name Auth0 Email/Password
App ID (Client ID) (from Auth0 Step 2)
Client Secret (from Auth0 Step 2)
Auth URL https://YOUR-TENANT.us.auth0.com/authorize
Token URL https://YOUR-TENANT.us.auth0.com/oauth/token
Certificate URL https://YOUR-TENANT.us.auth0.com/.well-known/jwks.json
PKCE Disabled
Email claim name email (default)
Scopes openid email profile
  1. Click Save.
  2. Click Test — it should redirect to Auth0's login page. Sign in with the account you created Auth0 with. On success, you'll see a confirmation.

Step 5: Keep One-time PIN as backup

Don't remove the existing One-time PIN provider. Users will see both options on the login screen: - Auth0 (email/password) — primary - One-time PIN — backup if Auth0 has issues

Step 6: Create Access Groups (RBAC) — ~10 min

These groups control who can access what. Go to Access controlsGroups (or create them inline in policies).

Create the following groups based on rbac-groups.md:

Group name Members (emails) Who
apex-admin Alex's admin email, 1 backup admin Technical admins
apex-board Board trustee emails Board members
apex-mentors Adult mentor emails Adult mentors / coaches
apex-parents-ridge-racers Parent/guardian emails Ridge Racers parents
apex-students-ridge-racers Student emails (Brandon, Jonas, Brian, Sophia, Noah, Max, Caleb) Team students
apex-student-mentors Omesh's email HS volunteer mentors

How to create a group: 1. Access controlsGroupsCreate group. 2. Group name: e.g., apex-mentors 3. Include rule: Selector = Emails → add each person's email address. 4. Save.

Important: Store the email-to-group mapping in your board password manager or secretary's offline sheet — not in git (per existing policy in rbac-groups.md).

Step 7: Create Access Policies — ~10 min

Policies determine who can reach docs.apexstem.org.

Option A: Single application, everyone allowed (simpler — recommended for Year 1)

Since MkDocs doesn't support path-based access control natively, and Cloudflare path policies require separate applications per path:

  1. Access controlsApplications → find your existing docs.apexstem.org application → Edit.
  2. Under Policies, edit (or replace) the existing Apex trustees policy:
  3. Policy name: All approved users
  4. Action: Allow
  5. Include: Add each Access Group:
    • apex-admin
    • apex-board
    • apex-mentors
    • apex-parents-ridge-racers
    • apex-students-ridge-racers
    • apex-student-mentors
  6. Under Authentication, enable both:
  7. Auth0 Email/Password
  8. One-time PIN
  9. Save.

Option B: Path-based policies (later — requires separate Access applications per path)

Defer this to after you've confirmed the wiki auth banner is working. See rbac-groups.md for the planned path policy table.

Step 8: Pre-create Auth0 user accounts — ~15 min

Users need Auth0 accounts before they can log in.

  1. In Auth0 dashboard → User ManagementUsersCreate User.
  2. For each person:
  3. Email: their email address
  4. Password: set a temporary password (they can reset it)
  5. Connection: Username-Password-Authentication (default)
  6. Click Create.

Users to create:

Name Role Auth0 account email
Alex Seto Admin / Lead mentor (your email)
(Trustee 2) Board (their email)
(Trustee 3) Board (their email)
Omesh Cholan Student mentor (his email — get from parent)
Brandon Student (their email)
Jonas Student (their email)
Brian Student (their email)
Sophia Student (their email)
Noah Student (their email)
Max Student (their email)
Caleb Student (their email)
(Parents) Parent (each parent's email)

Alternative: Let users self-register. In Auth0, you can enable the sign-up form on the login page. Then anyone can create an account, but only emails in your Cloudflare Access groups will be allowed through. This is simpler than pre-creating accounts.

To enable self-registration: 1. Auth0 → AuthenticationDatabaseUsername-Password-Authentication. 2. Ensure Disable Sign Ups is OFF (sign-ups allowed). 3. Users who sign up but aren't in a Cloudflare Access group will be blocked by Cloudflare — Auth0 lets them in, but Cloudflare's policy stops unauthorized emails.

Step 9: Test each role — ~10 min

Use an incognito/private browser window for each test:

  • [ ] Admin email → should see full wiki
  • [ ] Mentor email → should see full wiki
  • [ ] Student email → should see full wiki
  • [ ] Parent email → should see full wiki
  • [ ] Omesh's email → should see full wiki
  • [ ] Unlisted email → should be blocked by Cloudflare Access

Step 10: Send login instructions — ~5 min

Template message to send each user:

Subject: Access to Apex STEM wiki (docs.apexstem.org)

Hi [Name],

You now have access to the Ridge Racers / Apex STEM team wiki.

URL: https://docs.apexstem.org

To log in: 1. Go to https://docs.apexstem.org 2. Click "Auth0 Email/Password" (or "One-time PIN" if you prefer) 3. Sign in with your email and the password you were given (or create an account if prompted) 4. You can reset your password from the login page

Start here: Once logged in, go to the Start here page to find your role-specific guide.

Questions → Alex Seto


Seat count check

Cloudflare Access free tier: ~50 seats.

Role Count
Admin/board 3
Student mentor (Omesh) 1
Students 7
Parents ~7
Future mentors ~2
Total ~20

Well within the 50-seat limit.


Checklist summary

  • [ ] Auth0 tenant created
  • [ ] Auth0 application configured with Cloudflare callback URL
  • [ ] Auth0 added as OIDC provider in Cloudflare Access
  • [ ] One-time PIN kept as backup
  • [ ] Access Groups created for each role
  • [ ] Emails assigned to groups (stored in password manager, not git)
  • [ ] Application policy updated to allow all groups
  • [ ] User accounts created in Auth0 (or self-registration enabled)
  • [ ] Tested with each role in incognito
  • [ ] Login instructions sent to all users