Roles & Permissions
What each role can do.
Three roles in a team workspace. Permissions are enforced at the database layer, so you can't bypass them through the API.
Owner
Full access. Can't be removed except by another owner. Owners can do everything below, plus:
- Manage billing and subscriptions
- Transfer ownership to someone else
- Delete the workspace
There's always at least one owner. The system won't let you remove the last one.
Admin
Can:
- Invite, remove, and change roles for members (except other owners)
- Create, deploy, edit, and delete bots
- Manage skills and integrations
- View monitoring and logs
- Edit workspace settings
Can't:
- Manage billing
- Delete the workspace
- Promote anyone to owner
Member
The day-to-day collaborators. Can:
- Create, edit, and deploy bots
- Run automations
- View monitoring and logs
- Test bots in the chat sandbox
Can't:
- Invite or remove members
- Change workspace settings
- Manage billing
- Delete bots created by others (only their own)
Changing a role
Members β click the row β change role. Effective immediately.
API tokens
Each role's permissions apply to API tokens too. A member-scoped token can't manage billing through the API, no matter what you try.