calcom/cal.com
User
The universal account record. Every other primitive has a relation back to User directly or transitively.
Schema highlights
packages/prisma/schema.prisma — User:
id,username,name,email,emailVerifiedpassword(hashed),bio,avatarUrl,timeZone,weekStarttheme,appTheme,defaultScheduleIdbufferTime,hideBranding,verified,disableImpersonationroleenum (USER,ADMIN, ...)identityProviderenum (CAL,GOOGLE,GITHUB,SAML— last one is upstream-only)identityProviderIdmetadata(JSON),locale,timeFormat,trialEndsAttwoFactorSecret,twoFactorEnabled,backupCodescreatedDate,updatedAt,lastActiveAtbookingLimits,appsLastSync- Many relations:
eventTypes,bookings,schedules,selectedCalendars,destinationCalendar,credentials,apiKeys,webhooks,tokens,accounts,sessions,memberships,profiles,feedback, ...
Related models
Account— NextAuth's per-provider linkage (Google, GitHub, ...).Session— NextAuth session row.Profile— organization profile binding (per-org username).Membership— team / organization membership with role.
Where it lives in code
| Concern | File |
|---|---|
| Domain | packages/features/users/, packages/features/profile/ |
| Auth | packages/features/auth/ |
| Sessions | packages/features/auth/lib/getServerSession.ts |
| Repository | packages/features/users/...Repository.ts |
| Settings UI | apps/web/modules/settings/, apps/web/app/(use-page-wrapper)/.../settings/ |
| Bot detection on signup | packages/features/bot-detection, packages/features/watchlist |
Important behaviors
- Identity provider — a user can authenticate via password, Google, GitHub, or magic link. The
identityProvidercolumn captures the last-used provider; theAccounttable holds the per-provider linkage. - Profiles — when a user joins an organization, a
Profilerow is created so they can have a different username under that organization. TheProfileis linked fromEventType,Booking, etc. - 2FA — TOTP-based; the secret is stored encrypted with
CALENDSO_ENCRYPTION_KEY. - Defaults —
defaultScheduleIdis the schedule new event types inherit;timeZone,weekStart,theme,localeare user-level defaults that propagate down. - Bot defense — signup is gated by
packages/features/watchlist(free email domains list) andpackages/features/bot-detection.
Consumers
Pretty much everything. The booking pipeline reads the organizer's user, the slot computation reads the user's schedules and selected calendars, the dashboard reads the user's settings, the API v2 maps API keys / OAuth tokens back to a user.
Related pages
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.