docs: Add multiuser documentation and reposition Workflows

[lstein]

Summary

This PR migrates the multiuser documentation from docs-old into the new astro docs directory. It also moves the Workflows section into Features, which seems to be a more appropriate place for it than at the top level.

For convenience, this PR also updates the make docs Makefile target.

Related Issues / Discussions

QA Instructions

1. make docs will fire up astro
2. Browse the reorganized Features section.
3. Check for broken images and links.

Merge Plan

Simple merge.

Checklist

• The PR has a short but descriptive title, suitable for a changelog
• Tests added / updated (if applicable)
• ❗Changes to a redux slice have a corresponding migration
• Documentation added / updated (if applicable)
• Updated What's New copy (if doing a release after this PR)

[joshistoast]

Good overall add, but needs some updates.

Notes:

• I added some quick suggestions for reordering to keep the non subgrouped docs links at the top of the respective parent group.

• Lots of areas where the <Steps> component can be used for those instructional step-by-step ordered lists.

• I think we should move the spec to the corresponding invoke dir as a feature readme, as opposed to being a docs page.

• Found a couple broken links and left the fix suggestions.

• The multi user docs leaves a lot of "not right now, but in the future for sure" promises, maybe it'd be better to just say "Not at this time, create an issue if this is important to you" verbiage?

• There seemed to be an instance or two of inconsistency between existence of a feature. For example the user vs administrative docs seem to have different opinions on the existence of a user management webui. And there is also documentation now of a board having a desciption- which unless I'm mistaken doesn't exist.

• I can have my LLM do another pass over this to see if I missed anything, but this was everything I found initially.

[lstein]

Thanks for the thorough review. There was a lot more cruft in the docs than I realized. I've implemented all the suggested changes and removed redundant and out-of-date content. Let me know if I missed anything.

[joshistoast]

PR remains inconsistent with real behavior. Features that don't exist, incorrect endpoints, inaccurate and conflicting feature behaviors, etc.

Also we should document GET /api/v1/auth/status

[joshistoast]

These all should begin with /api/v1/auth/users

[lstein]

Fixed. Thank you.

[joshistoast]

These are all /api/v2/models

[lstein]

Fixed.

[joshistoast]

/api/v2/models

[lstein]

Fixed

[joshistoast]

This does not exist

[lstein]

Removed docs.

[joshistoast]

Suggested change

	**Endpoint:** `GET /api/v1/users`
	**Endpoint:** `GET /api/v1/auth/users`

[lstein]

Fixed.

[joshistoast]

Can't find this feature

[lstein]

Yeah, never got implemented, like a number of other nice to have features. Removed.

[joshistoast]

Suggested change

	- View and manage all users' boards, images, and workflows (including system-owned legacy content)
	- View and manage all users' boards, images, and workflows

[lstein]

Fixed.

[joshistoast]

Returns a plain array, no pagination

[lstein]

Fixed.

[joshistoast]

Shape needs to be:

[
  {
    "user_id": "string",
    "email": "string",
    "display_name": "string",
    "is_admin": false,
    "is_active": true,
    "created_at": "2026-05-07T21:12:09.008Z",
    "updated_at": "2026-05-07T21:12:09.008Z",
    "last_login_at": "2026-05-07T21:12:09.008Z"
  }
]

Returns a plain array without items

[joshistoast]

this

[joshistoast]

Add updated_at field below here

[lstein]

Done.

[joshistoast]

Login endpoint is /api/v1/auth/login

[lstein]

Fixed.

[joshistoast]

Found a few more things, clarified another thing. We're getting closer.

[joshistoast]

Shape needs to be:

[
  {
    "user_id": "string",
    "email": "string",
    "display_name": "string",
    "is_admin": false,
    "is_active": true,
    "created_at": "2026-05-07T21:12:09.008Z",
    "updated_at": "2026-05-07T21:12:09.008Z",
    "last_login_at": "2026-05-07T21:12:09.008Z"
  }
]

Returns a plain array without items

[joshistoast]

Suggested change

	# Session configuration (multi-user mode only)
	jwt_secret_key: "your-secret-key-here" # Auto-generated if not specified
	jwt_token_expiry_hours: 24 # Default session timeout
	jwt_remember_me_days: 7 # "Remember me" duration
	# Optional password policy
	strict_password_checking: true # Enforce uppercase/lowercase/number requirements

[lstein]

Fixed.

[joshistoast]

These seem to still be present

[joshistoast]

Suggested change

	**Alternative:** Remove `jwt_secret_key` from config to trigger setup wizard (will create new admin).
	**Alternative:** There is no supported config-based shortcut to rerun the setup wizard once an administrator already exists. If the admin password is lost, reset it directly in the database or by using the user-management tooling.

[lstein]

Fixed, and gave the correct recipe for reentering setup mode.

[joshistoast]

Suggested change

	# Before (single-user)
	GET /api/v1/boards/ # Returns all boards
	# After (multi-user)
	GET /api/v1/boards/ # Returns only current user's boards
	# Before (single-user)
	GET /api/v1/boards/?all=true # Returns all boards
	# After (multi-user)
	GET /api/v1/boards/?all=true # Returns boards the current user can access, including their own boards plus shared/public boards; admins can see all boards

[lstein]

fixed

[joshistoast]

This endpoint does not exist

[lstein]

Something was hallucinating. Wouldn't it be nice to have a simple image generation endpoint?

[joshistoast]

It would be

[joshistoast]

Suggested change

	cors_origins:
	- "http://localhost:3000"
	- "https://myapp.example.com"
	allow_origins:
	- "http://localhost:3000"
	- "https://myapp.example.com"
	allow_credentials: true
	allow_methods:
	- "*"
	allow_headers:
	- "*"

[lstein]

fixed

[joshistoast]

Almost there, found a few more discrepancies, and some were even from my own suggestions (left suggested fixes for those). Clarified what happens to boards on multiuser switching edge cases, a typo here or there, and highlighted some api response docs

[joshistoast]

this

[joshistoast]

On success it returns a 204 No Content not a json with status. If there's an error the response is 422 with json:

{
  "detail": [
    {
      "loc": [
        "string",
        0
      ],
      "msg": "string",
      "type": "string"
    }
  ]
}

[joshistoast]

Suggested change

	3. Choose a strong password. The following criteria are required with `strict_password_checking_enabled: true`.
	3. Choose a strong password. The following criteria are required with `strict_password_checking: true`.

My bad on my last suggestion lol

[joshistoast]

Suggested change

	With `strict_password_checking_enabled` disabled, you'll be warned if you choose a
	With `strict_password_checking` disabled, you'll be warned if you choose a

My bad on my earlier suggestion

[joshistoast]

Suggested change

	#### List One Boards
	#### Get One Board

[joshistoast]

Suggested change

	JWT secrets are generated automatically and stored in the
	database. You can hard-code a secret as shown above for
	development/testing purposes. Session lifetimes default to 24 hours by
	default, or 7 days when the user selects "Remember me", unless
	manually overridden in `invokeai.yaml` as shown above.
	JWT secrets are generated automatically and stored in the database. Session lifetimes default to 24 hours, or 7 days when the user selects "Remember me". See Secret Key Management below if you need to rotate the JWT secret.

This is technically more correct, since there's no manual override 'above'. My bad.

[joshistoast]

Suggested change

If an InvokeAI instance was in multiuser mode and then restarted in single user mode (by setting `multiuser: false` in the configuration file), all users' boards will be consolidated in one place. Any images that were in "Uncategorized" will be merged together into a single Uncategorized board. If, at a later date, the server is restarted in multi-user mode, the boards and images will be separated and restored to their owners.

If an InvokeAI instance was in multiuser mode and then restarted in single user mode (by setting `multiuser: false` in the configuration file), all users' boards will be consolidated in one place. Any images that were in "Uncategorized" will be merged together into a single Uncategorized board. If, at a later date, the server is restarted in multi-user mode, the boards and images will be assigned to the internal 'system' user. Admins can access this legacy content, and will not be restored to original owners.

[joshistoast]

Suggested change

	def is_multiuser_enabled(base_url):
	"""Check if multi-user mode is enabled (authentication required)."""
	response = requests.get(f"{base_url}/api/v1/boards/")
	return response.status_code == 401 # 401 = auth required
	def is_multiuser_enabled(base_url):
	response = requests.get(f"{base_url}/api/v1/auth/status")
	response.raise_for_status()
	return response.json()["multiuser_enabled"]

This is exposed in the auth status like so

[joshistoast]

Suggested change

	If you are logged in as Administrator, you can add additional users. Click on the small "person silhouette" icon at the bottom left of the main Invoke screen and select "User Management:"
	If you are logged in as Administrator, you can add additional users. Click on the small "person silhouette" icon at the bottom left of the main Invoke screen and select "User Management"