Skip to main content
Private preview. fremforge is in private preview — invited customers only. Content is still subject to change. Request access →
Getting started
Your first hour

Your first hour with fremforge

This page is the buyer-and-admin perspective of onboarding, what you’ll actually click and see in the first hour after you decide to sign up. It complements Getting started, which is more developer-oriented (SSH keys, first repo, first CI run).

If you’re the person who’ll be the first owner of your fremforge org, read this page top-to-bottom before you sign up. Most of it works without any input from you, but four small decisions in this hour set the security and billing posture for the rest of your time on fremforge, getting them right now is much cheaper than walking them back later.

The flow at a glance

                ┌──────────────────────────────────────────────────────────┐
                │  1. Sign up at www.frem.sh                               │
                │     email + org slug + country/VAT + Altcha PoW          │
                └─────────────────────────┬────────────────────────────────┘
                                          │
                                          ▼
                ┌──────────────────────────────────────────────────────────┐
                │  2. Verification email arrives (Lettermint, EU)          │
                │     click within 24h                                     │
                └─────────────────────────┬────────────────────────────────┘
                                          │
                                          ▼
                ┌──────────────────────────────────────────────────────────┐
                │  3. Confirm page → Mollie hosted checkout (card / SEPA)  │
                │     mandate captured at €0 → tenant + Forgejo org        │
                │     provisioned → welcome email with admin URL + creds   │
                └─────────────────────────┬────────────────────────────────┘
                                          │
                            ┌─────────────┴─────────────┐
                            ▼                           ▼
            ┌─────────────────────────┐   ┌──────────────────────────────┐
            │  4a. Sign in            │   │  4b. Configure your org      │
            │  frem.sh/user/login     │   │  frem.sh/_app/<slug>/_admin/   │
            │  → your dashboard       │   │  billing — wire SSO, invite, │
            │                         │   │  review billing              │
            └─────────────────────────┘   └──────────────────────────────┘
                                          │
                            ┌─────────────┴─────────────┐
                            ▼                           ▼
            ┌─────────────────────────┐   ┌──────────────────────────────┐
            │  5. Wire SSO            │   │  6. Confirm billing details  │
            │  (optional but strongly │   │  monthly vs. annual term,    │
            │  recommended on day 1)  │   │  seats, VAT — auto-converts  │
            │                         │   │  on day 30 of trial          │
            └─────────────────────────┘   └──────────────────────────────┘
                                          │
                                          ▼
                ┌──────────────────────────────────────────────────────────┐
                │  7. Harden the break-glass account (MFA on local owner)  │
                │     and invite teammates                                 │
                └──────────────────────────────────────────────────────────┘

The whole flow takes 15-30 minutes for a single-admin org without SSO, or 30-60 minutes if you’re wiring an IdP and inviting a team.

1, Sign up

Visit www.frem.sh and click Sign up in the top nav (or go directly to frem.sh/_app/signup). The signup form asks for:

  • Work email, this becomes the bootstrap admin’s email and the default billing-contact address (you can change either later).
  • Org slug, 3-30 lowercase letters, digits, and hyphens. This is the URL path for your org (frem.sh/<slug> for the developer surface, frem.sh/_app/<slug>/_admin/... for the admin surface). Choose carefully, slug changes are operator-handled, not self-service.
  • Display name, what shows up in the UI when we don’t have room for the slug.
  • Country, drives VAT treatment and bookkeeping. EU member states require a VAT number; non-EU countries don’t.
  • VAT number, for EU customers we live-validate against VIES before the org is created. If your VIES record is currently down (it happens about once a quarter; usually resolves in <24h), you’ll see an error and can retry once the registry is back.

A proof-of-work captcha runs on submit. It takes 1-3 seconds to solve and is invisible, no clicking traffic lights.

Common gotchas:

  • Reserved slugs (e.g. admin, support, legal) and trademarks of other vendors (e.g. github, gitlab) are blocked at submit. Pick something distinctive.
  • Disposable-email providers are blocked; use a real corporate or ISP-issued address.

2, Verify your email

A verification email lands in your inbox within seconds. The link is valid for 24 hours and only works once, clicking it twice won’t re-provision (the second click just shows your existing org).

The verification email is sent from noreply@frem.sh via Lettermint (NL-anchored, EU-only delivery infrastructure; one of fremforge’s named sub-processors per the DPA). If it doesn’t arrive in 5 minutes, check spam and your corporate mail filter, the From address and DKIM should be aligned.

3, Confirmation → Mollie checkout → org provisioned → welcome email

Click the verification link, then click Create org on the confirmation page. You’ll be redirected to Mollie’s hosted checkout to authorise a payment-method mandate before the org is provisioned. Mollie supports cards, SEPA Direct Debit, iDEAL, Bancontact, and other regional methods. The verification runs at €0 (your card issuer may briefly pre-authorise €0.01 and reverse it immediately as part of the standard verification step). Nothing is billed during the 30-day trial — the mandate exists so the trial can auto-convert on day 30 without an extra checkout step. Cancel any time before then in Admin → Billing at no cost; we send a reminder three days before the auto-charge.

After Mollie accepts the mandate, three things happen in sequence on the api side:

  1. A row is created in the tenants table with payment_method_status='mandate_active'.
  2. A Forgejo org with your slug is created (id 14, 15, etc., but you’ll only ever see the slug).
  3. Your bootstrap admin user is created in Forgejo with a one-time password we email you. The bootstrap admin user is the same login as your personal fremforge account, if you sign up a second org with the same email later, it reuses the same admin user (no second password).

The welcome email arrives within a few seconds. It contains two CTAs and a credentials block:

  • Sign in to fremforgefrem.sh/user/login?redirect_to=/<your-slug>, Forgejo’s universal login. Your first login lands you on your org dashboard.
  • Configure your orgfrem.sh/_app/<your-slug>/_admin/billing, the admin surface where you wire SSO, invite teammates, manage billing.
  • Initial admin credentials, username + one-time password. The next step rotates this; don’t share it.

If you don’t get the welcome email but the verification email worked, your org was created (the welcome email is best-effort). Use the URL pattern above with your chosen slug to log in.

4a, Sign in for the first time

frem.sh/user/login is Forgejo’s universal login form. Enter either the username from the welcome email or your signup email, both work. The username is a stable short handle used in URLs (frem.sh/<username>), commit author lines, and @mentions; you usually don’t need to remember it because email-as-login is always accepted. Then enter the one-time password.

Forgejo will require you to set a new password immediately, that’s the expected flow, not an error. Choose a long random password from your password manager (you’ll rarely type it; see Step 7).

You land on your Forgejo dashboard at frem.sh/. Your org appears in the org list on the left; clicking it takes you to frem.sh/<your-slug> where you’ll see “no repositories yet”. That’s normal, you haven’t pushed anything.

If you’re going to set up SSO and invite teammates first (recommended), keep this tab and open Step 4b in another tab.

4b, Configure your org (the admin URL)

frem.sh/_app/<your-slug>/_admin/billing is the admin landing page, billing summary, plus tabs for SSO, security, members, audit log, and so on. Bookmark this URL. When you’re admin of multiple fremforge orgs, the admin surface is keyed on the slug in the URL, there’s no in-product org switcher; you navigate by typing or bookmarking.

The first time you hit this URL, you’ll be redirected through Forgejo login (because admin pages require an authenticated Forgejo session). After login it lands you back here.

At first visit you’ll see:

  • Seat count (default 1, you, the bootstrap admin).
  • Term: monthly (default; switch to annual any time before day 30 to lock in the 15% discount, and again later between months).
  • Payment method status: mandate active (the Mollie mandate captured at signup) — or “no method” with a Set up payment CTA if the signup-time checkout was abandoned or the mandate has since been revoked at your card issuer.
  • Trial state: 30-day trial active with the auto-conversion date shown.

If you see “no method”, the priority is to add a payment method before day 30 to avoid the suspension flow. Otherwise, move on to SSO + break-glass; billing is already wired.

5, Wire SSO (highly recommended on day 1)

If your team uses an SSO provider (Okta, Entra, Google Workspace, Authentik, Keycloak, Auth0), wire it before inviting anyone. Setting it up after teammates have local-password accounts means a migration step per user.

Open Org admin → SSO. Two kinds of work:

  1. Verify your domain, DNS TXT or .well-known/fremforge-domain.txt HTTP challenge. Required before you can register an auth source. Takes 1-5 minutes assuming you can edit DNS or upload a file to your domain root.

  2. Register an auth source, OIDC (recommended) or SAML 2.0. The forms walk you through the IdP-side fields. See OIDC SSO or SAML 2.0 for the per-IdP setup steps.

Optional but recommended for regulated workloads: while you’re on the OIDC form, fill in the three Per-org session-binding step-up fields at the bottom. These wire forced IdP re-attestation on cross-org access, see OIDC § Per-org session-binding step-up for the IdP-side requirements. If you skip these fields, you fall back to soft binding (still works, just no forced IdP re-prompt, local-credentials break-glass is preserved either way).

After registering an auth source, the next person to sign in via SSO is auto-provisioned as a fremforge user. SCIM (push-based provisioning) is a separate setup, see SCIM 2.0.

6, Confirm billing details

The mandate was captured at signup, so there’s nothing to do here to enable billing — but Admin → Billing is where you confirm or change the terms before the day-30 auto-charge:

Pricing (auto-charged on day 30 unless you cancel beforehand):

  • Monthly: €30/seat/month, billed upfront at the start of each 30-day cycle. Cancel any time; access continues to the end of the current paid month.
  • Annual: €306/seat/year (€25,50/seat/month effective, 15% off list), billed upfront as a single annual fee. Non-refundable if you cancel mid-term, access continues to your committed-until date and the year stands as paid.

What you can change before day 30:

  • Term: switch monthly → annual to lock in the 15% discount. You can switch monthly → annual any time; annual → monthly only takes effect at the next renewal.
  • Seats: invite teammates now and the day-30 charge reflects your actual seat count (each invited member counts from acceptance).
  • Payment method: replace the Mollie mandate (e.g. different card, or switch from card to SEPA Direct Debit) via Replace payment method in Admin → Billing. The replacement runs the same €0 verification flow Mollie used at signup.
  • Cancel: the Cancel trial action voids the mandate and stops the day-30 charge from happening; the org keeps read-only access through the data-retention window per the terms §16.5.

Reminders: we send a heads-up 3 days before the auto-charge so the conversion isn’t a surprise. If the Mollie auto-charge fails on day 30 (expired card, insufficient funds), you’ll get the standard dunning email cadence — three retries over 14 days before the org enters the read-only grace.

7, Harden the break-glass account

The bootstrap admin you just created is your break-glass account, keep it, harden it, don’t delete it.

Why: when you wire SSO and your IdP later goes down (or gets misconfigured), the break-glass account is how you get back into your org admin to disable SSO enforcement and unblock your team. The path is documented in SSO break-glass, every owner should rehearse it once.

Three things to do now, while you’re already logged in:

  1. Rotate the bootstrap password to a long random one if you haven’t already. Generate a 24+ character password from a password manager and store it. You’ll rarely type it.

  2. Enable 2FA on the bootstrap account, Forgejo supports TOTP (any authenticator app) and WebAuthn / passkeys. 2FA on the break-glass account is required, not optional: a long random password without 2FA is still a phishable single factor; the break-glass path being a single-factor login defeats the point of mandating SSO. Store recovery codes in your password manager (or a sealed envelope in a safe, not in a Slack DM).

  3. Verify the local login works in a private browser window before flipping the SSO Required toggle. Open https://frem.sh/user/login, sign in with the local password + 2FA, confirm you can reach Org admin → SSO. Do this while your normal session is still open in a regular window so you can recover if anything is wrong.

For orgs with more than one human admin, keep at least two break-glass-prepared owners. If one loses access (lost device, stolen laptop, employment change), the second owner can re-issue access without going through support.

8, Invite teammates

Back in Forgejo at frem.sh/<your-slug>, Settings → People → Invite Member. If you wired SSO, prefer “invite via SSO domain”, anyone with an email at your verified domain can claim a seat by signing in with SSO, no manual provisioning per user. If you didn’t wire SSO, invitees get a local-password account each.

Each invited member counts as a billable seat from the moment they accept. fremforge has no per-seat-tier, every seat gets the same flat rate (€30/month or €306/year on the annual term). See Members and teams for the full membership model.

What you should have done by the end of the hour

A quick checklist to run through before you call this done:

  • Org provisioned at frem.sh/<your-slug> and frem.sh/_app/<your-slug>/_admin/billing both reachable
  • Bootstrap password rotated to a long random one + 2FA enabled + recovery codes saved
  • SSO wired (auth source registered, domain verified), or explicitly decided to defer SSO
  • Hard step-up wired (optional, for regulated workloads), or noted as a Phase 2 task
  • Billing terms confirmed (monthly vs. annual, seat count) ahead of the day-30 auto-conversion
  • At least one teammate invited (or noted as a follow-up)
  • Break-glass procedure rehearsed once: signed out, signed back in via local + 2FA in a private browser window

Anything in this list you’ve left blank is a known follow-up, write it down. The two that bite later are the break-glass MFA and the SSO setup; both are a 15-minute job today, a multi-hour mess once your team is using fremforge actively.

Cross-references