Access to the admin is obtained through links containing a one-time passcode (OTP). These links are generated from within the server and expire within a couple of hours if not used.
Once opening the link, continued admin access is granted to that particular device. Subsequently, the admin can be accessed by going to the server droplet's IP address, e.g.: https://22.214.171.124
Granting new access
To create a new link, within the server run
lamassu-register followed by an email and role for said user. For example:
lamassu-register firstname.lastname@example.org superuser
If sending the link to another user or device, send it over a (secure) service which doesn't auto-preview the link (and thus invalidate it). Signal and Keybase are good for this, or within codeblock formatting in Wire, Element, or WhatsApp.
Switching off the admin
As an even greater security precaution, you may even turn off the admin fully when not in use, and switch it on again when needed.
Your paired machines will continue their normal operation, servicing customers; however, stopping the admin would prevent anyone with prior access from controlling your commission settings or pairing a machine of their own (and thus having indirect wallet withdrawal access).
To turn off the admin (
lamassu-admin-server), run within your server's terminal:
supervisorctl stop lamassu-admin-server
To turn it on again prior to accessing it, run:
supervisorctl start lamassu-admin-server
To view its current status (
supervisorctl status lamassu-admin-server
(If you do wish to halt service at your machines, similarly you may stop and start the
lamassu-server process, detailed in 'Halting service at the machine'.)