A new tawqi3 tenant begins life when a founder signs up on the admin portal. This article walks through what you provide, what happens behind the scenes, and how to recover when an early step does not go to plan.
What you provide
The signup form on admin.tawqi3.com collects:
| Field | Meaning |
|---|---|
| Founder email | The first authenticated identity; receives a verification link. |
| Organisation name | The human-readable label that appears across the product. |
| Organisation handle | Lowercase, dash-separated, 3 to 32 characters; used in URLs. |
| Data region | The jurisdiction where your encrypted artefacts will reside. |
| Products | One or more of Email Signature, Agreement and E-Sign, Document and Template. |
Every field is validated before your organisation is created. The browser performs a small pre-flight check as a courtesy; the authoritative validation happens on the tawqi3 side.
What tawqi3 does
Signup is a multi-step process:
- Your request is rate-limited to protect the platform from abuse.
- Your organisation is created and your founder identity is attached as the first member.
- A billing account is opened for the organisation.
- Each selected product is activated on its starter plan.
- You receive a verification email with a single-use link.
If any step does not complete, the partially-built organisation is suspended and the founder is shown a clear error message keyed to the precise reason, for example, that the billing step could not be completed. No half-configured tenant is ever left behind.
Verifying your email
The verification link is single-use and expires in 24 hours. Following it signs you in and lands you in the admin portal. If the link lapsed, request a fresh one from the same signup page.
After verification
Your organisation is active and the founder has owner-level privileges. From here you can invite teammates, configure product-specific settings, and connect your existing identity provider. Role assignments take effect immediately; teammates do not need to sign out and back in for new permissions to apply.
title: Onboarding your organization description: How signup, region selection, and product activation work the first time a founder reaches the admin console. category: Getting Started updated: 2026-05-15 readMinutes: 5 order: 2
A new tawqi3 tenant begins life as a single POST /v1/signup to the IAM service. This article walks through what the request body carries, what happens on the server side, and how to recover when an early step misfires.
What you provide
The signup form on admin.tawqi3.com/signup collects:
| Field | Meaning |
|---|---|
| Founder email | The first authenticated identity; receives a verification link. |
| Organization name | Human-readable label. |
| Organization slug | Lowercase, dash-separated, 3–32 characters; used in URLs and audit subjects. |
| Region | One of eu, us, gcc, in, uk, au, ca. Determines where rest-encrypted artefacts live. |
| Products | One or more of Email Signature, Agreement & E-Sign, Document & Template. |
Every field is validated server-side. The browser performs a minimum-viable pre-flight (regex on the slug, presence on the email) purely as a UX courtesy; the canonical validation lives in iamd.
What the server does
Signup is a saga. The IAM service:
- Persists a
pending_signuprow and rate-limits the request by both IP and email hash. - Creates the organization aggregate and a founder membership.
- Calls the billing service to provision a billing account.
- Subscribes the organization to each selected product on the appropriate seed plan.
- Emails the founder a verification link with a single-use token.
If any step fails, a compensator suspends the partially-built organization and an iam.org.bootstrap.compensation audit record is emitted. The founder sees a localised error message keyed off the precise refusal reason, for example, signup.error.billing_account_failed if the billing call timed out.
Verifying the email
The verification link includes an opaque token bound to the founder’s email. Following the link mints a session and lands you in the admin console. The token is single-use and expires in 24 hours; request a fresh one from the same signup page if it lapsed.
After verification
Your organization is active and the founder is a tenant_owner. From here you can invite teammates, configure product-specific settings, and integrate with your existing IdP. Each subsequent action is gated by the OpenFGA RBAC + ABAC model, so role assignments take effect immediately without a session rotation.