Invite your team

Access is per organization, with four roles. Invitations are tokens rather than magic-link emails, so you decide how they reach people.

The four roles

RoleCan
viewerRead everything: messages, stats, settings
memberOperate servers: send-side resources, templates, suppressions
adminManage members, invitations and organization settings
ownerEverything, including deleting the organization; the last owner cannot be removed

Global admins (created with make-user --admin or the users API) sit above organizations. Reserve them for operations rather than daily work.

Send an invitation

# dashboard: Organization → Members → Invite
POST /api/v2/admin/organizations/{org}/invitations
   { "email_address": "ada@acme.com", "role": "member" }

The response carries the invitation token, shown once. Hand it to the invitee (your own email, Slack, whatever); they accept at {frontend_url}/invitations/{token}, creating their account in the process if needed. Invitations expire after auth.invitation_expiry_days (default 7).

Sensible defaults

  • Default to member; promote deliberately.
  • Give auditors and dashboards viewer, not member.
  • Two owners minimum, because vacations happen.
  • Enforce 2FA culturally: TOTP enrollment is self-service under Account → Security (API).
SSO users are provisioned on first login when oidc.auto_provision is on; see Set up SSO. Role assignment in the org still happens via membership/invitations.