Invite your team
Access is per organization, with four roles. Invitations are tokens rather than magic-link emails, so you decide how they reach people.
The four roles
| Role | Can |
|---|---|
| viewer | Read everything: messages, stats, settings |
| member | Operate servers: send-side resources, templates, suppressions |
| admin | Manage members, invitations and organization settings |
| owner | Everything, including deleting the organization; the last owner cannot be removed |
Global admins (created with make-user --admin or the users API) sit above organizations. Reserve them for operations rather than daily work.
Send an invitation
# dashboard: Organization → Members → Invite POST /api/v2/admin/organizations/{org}/invitations { "email_address": "ada@acme.com", "role": "member" }
The response carries the invitation token, shown once. Hand it to the invitee (your own email, Slack, whatever); they accept at {frontend_url}/invitations/{token}, creating their account in the process if needed. Invitations expire after auth.invitation_expiry_days (default 7).
Sensible defaults
- Default to member; promote deliberately.
- Give auditors and dashboards viewer, not member.
- Two owners minimum, because vacations happen.
- Enforce 2FA culturally: TOTP enrollment is self-service under Account → Security (API).
SSO users are provisioned on first login when
oidc.auto_provision is on; see Set up SSO. Role assignment in the org still happens via membership/invitations.