Team

An operator account can host multiple human team members, each with their own API key, role, and optional allow-list of service connections. The team feature extends the operator primitive without diluting accountability - every action still attributes to a specific member in the audit chain.

Roles

  • readonly - can read every resource and make proxy / credential calls, but cannot mutate agents, services, passports, or team state
  • standard - the default; can issue passports, manage agents, connect services, publish skills
  • admin - adds team management (invite / update / revoke members) and billing control; cannot regenerate the operator master API key

See /docs/api/team for the full role × endpoint matrix.

API keys

  • Prefix sk_live_mem_ for member keys, sk_live_op_ for operator keys
  • Stored as an HMAC-SHA256 hash with a server-side pepper - plaintext never persists
  • Constant-time comparison on every request to prevent timing attacks
  • Revocation is immediate - DELETE /v1/team/members/:id invalidates the key the moment it returns

Allowed connections

Each member can carry an allowed_connections array of service connection IDs. When set, the member can only retrieve credentials and proxy calls against connections in the list. Setting the array tonull grants access to every connection.

json
{
  "id":     "mem_b2…",
  "email":  "alice@acme.dev",
  "role":   "standard",
  "allowed_connections": ["scon_slack_prod", "scon_github_ops"],
  "status": "active"
}

Invite flow

  • 1. Admin calls POST /v1/team/members - member created in "invited" state, invite email sent with a 7-day token
  • 2. Member opens the invite link and calls POST /v1/team/members/:id/accept with the token
  • 3. Accept returns the member API key exactly once - cannot be retrieved again
  • 4. Member status flips to "active"; their first request authenticates the account

The invite accept endpoint is unauthenticated - it exists so brand-new members can exchange the invite token for an API key before they have any credentials.

Automatic cascades

  • Revoking a member immediately revokes every live passport they issued (bulk_agent-style sweep per agent they touched)
  • Deleting a member is not supported - revoke preserves the audit trail
  • The member's credential retrieval history stays readable in the audit log after revoke

Tier limits

  • free - 1 member total (the operator)
  • developer - 5 members
  • studio - 25 members
  • enterprise - unlimited

Related

  • /docs/api/team - invite, list, update, revoke, role × endpoint matrix
  • /docs/concepts/passports - per-member attribution in issued passports
  • /docs/api/billing - tier table and member caps
stack | docs