Appearance
Admin Setup
This guide walks you through setting up BluePLM for your organization. Follow the steps in order.
Prerequisites
You need:
- A Supabase account (free tier works)
- BluePLM installed on your computer
- (Optional) A Google Cloud account for Google Sign-In
- (Recommended) An email provider account (Resend or SendGrid) for reliable invite emails
Step 1: Create a Supabase Project
- Go to supabase.com and sign in or create an account
- Click New Project
- Choose a project name and set a strong database password
- Select a region close to your team
- Click Create new project and wait ~2 minutes for provisioning
Once ready, go to Settings → API and note:
- Project URL (e.g.,
https://abcdefgh.supabase.co) - anon/public key (starts with
eyJ...)
You'll enter these in BluePLM later.
Step 2: Set Up Google OAuth (Recommended)
Google Sign-In provides the smoothest authentication experience. Skip this step if you prefer email/password only.
In Google Cloud Console
- Go to Google Cloud Console
- Create a new project or select an existing one
- Navigate to OAuth consent screen
- Choose External (recommended) — allows any Google account to sign in
- Choose Internal only if you want to restrict sign-in to your Google Workspace domain exclusively
- Fill in:
- App name: "BluePLM"
- User support email: your email
- Developer contact: your email
- Click Save and Continue through the scopes (defaults are fine)
- Go to Credentials → Create Credentials → OAuth 2.0 Client ID
- Select Web application
- Add this Authorized redirect URI:Replace
https://YOUR-PROJECT-REF.supabase.co/auth/v1/callbackYOUR-PROJECT-REFwith your Supabase project reference (the subdomain from your Project URL). - Click Create and copy your Client ID and Client Secret
In Supabase Dashboard
- Go to Authentication → Providers → Google
- Toggle Enable Sign in with Google
- Paste your Client ID and Client Secret
- Click Save
- Go to Authentication → URL Configuration
- Set Site URL to:
http://localhost - Add these Redirect URLs:
http://localhosthttp://localhost:5173http://127.0.0.1
Step 3: Create Storage Bucket
Do This Before Running Schema
The storage bucket must exist before running the schema SQL, or the storage policies will fail.
- Go to Storage in Supabase Dashboard
- Click New Bucket
- Name it exactly:
vault - Uncheck "Public bucket" (must be private)
- Click Create bucket
Step 4: Run Database Schema
The schema creates all required tables, functions, Row Level Security policies, and storage policies.
- Go to SQL Editor in Supabase Dashboard
- Click New query
- Open
supabase/schema.sqlfrom the BluePLM repository - Copy the entire contents
- Paste into the SQL Editor
- Click Run
Verify there are no errors. Warnings about "already exists" are OK if you're re-running.
Step 5: Create Your Organization
Run this SQL in the SQL Editor (customize the values):
sql
INSERT INTO organizations (name, slug, email_domains)
VALUES (
'Your Company Name', -- Display name
'your-company', -- URL-safe slug (lowercase, no spaces)
ARRAY['yourcompany.com'] -- Email domains for your team
);This automatically creates:
- Default teams: Viewers, Engineers, Administrators
- Default job titles (Design Engineer, Quality Engineer, etc.)
Email Domains
The email_domains array enables auto-detection. When users with matching email domains sign in, BluePLM can automatically associate them with your organization.
Step 6: Connect BluePLM
- Download and open BluePLM
- Complete the language/analytics setup if this is your first launch
- On the Setup screen, click "I'm setting up BluePLM for my organization"
- Enter:
- Supabase URL:
https://xxxxx.supabase.co - Anon Key: starts with
eyJ... - Organization Slug (optional): e.g.,
your-company
- Supabase URL:
- Click Connect to Supabase
- Copy the generated Organization Code (save this for team members!)
Keep the Code Secure
The Organization Code contains your Supabase anon key encoded. Share it only with trusted team members.
Step 7: Sign In and Configure Admin
- Click Continue and sign in with Google (or email/phone)
- After signing in, you need to link yourself to the organization and grant admin privileges
Run this SQL in the SQL Editor (replace the values):
sql
-- 1. Link yourself to the org and set as admin
UPDATE users
SET org_id = (SELECT id FROM organizations WHERE slug = 'your-company'),
role = 'admin'
WHERE email = 'your.email@yourcompany.com';
-- 2. Add yourself to the Administrators team
INSERT INTO team_members (team_id, user_id, is_team_admin, added_by)
SELECT
t.id,
u.id,
TRUE,
u.id
FROM teams t, users u
WHERE t.org_id = (SELECT id FROM organizations WHERE slug = 'your-company')
AND t.name = 'Administrators'
AND u.email = 'your.email@yourcompany.com'
ON CONFLICT (team_id, user_id) DO NOTHING;Sign out and back in to BluePLM for the changes to take effect.
Step 8: Create Your First Vault
Vaults are containers for files. Create at least one to start working.
First, get your organization ID:
sql
SELECT id FROM organizations WHERE slug = 'your-company';Then create the vault (replace the UUID):
sql
INSERT INTO vaults (org_id, name, slug, storage_bucket, is_default)
VALUES (
'ORG-UUID-HERE', -- Your organization ID from above
'Main Vault', -- Display name
'main-vault', -- URL-safe slug
'vault', -- Storage bucket name (must match step 3)
true -- Make this the default vault
);Step 9: Create Default Workflow
Files need a workflow to track their lifecycle states (WIP → In Review → Released → Obsolete).
Get your organization and user IDs:
sql
SELECT id FROM organizations WHERE slug = 'your-company';
SELECT id FROM users WHERE email = 'your.email@yourcompany.com';Create the default workflow (replace UUIDs):
sql
SELECT create_default_workflow_v2('ORG-UUID', 'USER-UUID');This creates the standard release workflow with:
- WIP (Work In Progress) - Initial state
- In Review - Ready for approval
- Released - Approved for use
- Obsolete - Deprecated/retired
Step 10: Deploy REST API (Required for Invites)
The REST API server is needed for sending invite emails and ERP integrations.
Deploy to Railway (Recommended)
- Go to railway.app/new
- Select "Deploy from Docker Image"
- Enter:
ghcr.io/bluerobotics/blueplm-api:latest - Add these environment variables (from Supabase Dashboard → Settings → API):
| Variable | Value |
|---|---|
SUPABASE_URL | Your Project URL |
SUPABASE_KEY | anon/public key |
SUPABASE_SERVICE_KEY | service_role key ⚠️ |
- Deploy and copy your API URL (e.g.,
https://your-app.railway.app)
Keep service_role Key Secret
The SUPABASE_SERVICE_KEY bypasses Row Level Security. Never expose it in client-side code.
Configure in BluePLM
- Go to Settings → Integrations → REST API
- Enable "Use External API"
- Enter your Railway API URL
- Click Test Connection to verify
Alternative Deployment Options
See the API README for:
- Render deployment
- Fly.io deployment
- Self-hosted Docker
Step 11: Configure Email Delivery (Recommended)
By default, Supabase uses their shared email domain (noreply@mail.app.supabase.io) which often lands in spam. Configure a custom SMTP provider for reliable email delivery.
Option A: Resend (Recommended)
Resend offers 100 free emails/day and easy setup.
1. Set Up Resend
- Sign up at resend.com
- Go to Domains → Add Domain
- Enter your domain (e.g.,
blueplm.iooryourcompany.com) - Add the DNS records Resend provides to your domain registrar
- Wait for verification (~5 minutes)
- Go to API Keys → Create API Key and copy it
2. Configure in Supabase
- Go to Project Settings → Authentication
- Scroll to SMTP Settings → Toggle Enable Custom SMTP
- Fill in:
| Field | Value |
|---|---|
| Host | smtp.resend.com |
| Port | 465 |
| Username | resend |
| Password | Your API key (e.g., re_xxxxxxxxx...) |
| Sender email | noreply@yourdomain.com |
| Sender name | BluePLM |
- Click Save
Option B: SendGrid
SendGrid also offers a free tier (100 emails/day).
- Sign up and verify your domain
- Create an API key with Mail Send permissions
- Use these SMTP settings:
| Field | Value |
|---|---|
| Host | smtp.sendgrid.net |
| Port | 465 |
| Username | apikey |
| Password | Your API key |
| Sender email | noreply@yourdomain.com |
| Sender name | BluePLM |
Test Your Configuration
After setup, invite yourself (using a different email) to verify emails arrive in the inbox, not spam.
Step 12: Set Up Email Templates (Required for Invites)
BluePLM includes branded email templates for authentication emails. The invite template is required — it displays the Organization Code directly in the email so invited users can copy/paste it into BluePLM.
Required for User Invites
Without the invite template, users won't see their Organization Code in the invite email. Set this up before inviting team members.
Set Up the Invite Template
- Go to Authentication → Email Templates in Supabase Dashboard
- Select Invite user
- Set Subject to:
You've been invited to BluePLM - Copy the HTML from
supabase/email-templates/invite-user.html - Paste into the Body (HTML) field
- Click Save
The invite email will now show:
- Organization name
- Organization Code (copyable) — users paste this into BluePLM
- Download instructions
- Link to blueplm.io/downloads
Other Templates (Optional)
For consistent branding, you can also update these templates from supabase/email-templates/:
| Template | Subject Line |
|---|---|
| Confirm sign up | Confirm your BluePLM account |
| Magic link | Your BluePLM sign-in link |
| Change email | Confirm your new email address |
| Reset password | Reset your BluePLM password |
Sharing with Team Members
There are two ways to add team members:
Option A: Send Invites (Recommended)
Use BluePLM's invite feature in Settings → Members & Teams:
- Click Invite User
- Enter their email address
- They receive an email with:
- The Organization Code (ready to copy)
- Link to download BluePLM
- Setup instructions
This is the easiest method — users get everything they need in one email.
Option B: Share Code Manually
Share the Organization Code generated in Step 6 directly:
- Go to Settings → Members & Teams
- Click Show Organization Code
- Send the code to team members along with download link
Team members then:
- Download BluePLM from blueplm.io/downloads
- Select "I have an Organization Code"
- Paste the code
- Sign in with Google/email/phone
The code contains your Supabase connection info encoded — team members don't need to enter URLs or keys manually.
See User Setup Guide for detailed team member instructions.
Troubleshooting
Schema SQL fails with "bucket not found"
Create the vault storage bucket (Step 3) before running the schema.
Google Sign-In shows "Access blocked: org_internal"
Your Google OAuth app is set to "Internal". Go to Google Cloud Console → APIs & Services → OAuth consent screen and change the user type to External. This allows any Google account to sign in, not just your Google Workspace users.
Google Sign-In shows "redirect_uri_mismatch"
Verify your Supabase project URL is in Google Cloud's authorized redirect URIs exactly:
https://YOUR-PROJECT-REF.supabase.co/auth/v1/callbackUsers can't see any vaults
Grant vault access via Settings → Members & Teams. Non-admin users don't see vaults automatically.
Organization Code doesn't work
Regenerate the code by disconnecting and reconnecting to Supabase in BluePLM.
Can't sign in after running admin SQL
Make sure you signed out and back in after running the admin setup SQL.
Invite emails going to spam
Configure custom SMTP (Step 11). Supabase's default email domain (noreply@mail.app.supabase.io) is often flagged as spam.
"Service key not configured" error when inviting users
- Verify
SUPABASE_SERVICE_KEYis set in your Railway environment variables - Redeploy the API service after adding the variable (Railway doesn't auto-restart)