Back to docs

Team Accounts

Multi-user workspaces with shared credits, RBAC, and invitations

Team Accounts

PrivateRouter supports multi-user workspaces (called Teams) for shared credit balances, role-based access control, and centralised API key management.

Roles

Every team member has one of four roles:

RoleManage teamInvite membersCreate API keysUse APIView usage
owner
adminpartial*
developer
viewer

*Admins can rename the team and manage non-owner members, but cannot delete the team or promote anyone to owner.

Creating a team

  1. Sign in to the PrivateRouter dashboard.
  2. Click Teams in the sidebar → New team button.
  3. Enter a team name. A URL-friendly slug is generated automatically.
  4. You're seated as the team's owner immediately.

Inviting members

  1. Open the team detail page → Invitations tab.
  2. Enter an email and pick a role (admin / developer / viewer).
  3. Click Invite. PrivateRouter returns a one-time token URL — share that with the invitee directly.
  4. They click the link, sign in (the email on the invite must match their account email), and are added with the role you chose.

Invitations expire after 7 days if not accepted.

Removing a member

  • Owners and admins can remove non-owner members.
  • Members can self-leave at any time.
  • You cannot remove the last owner — promote someone else first, or transfer ownership.

Roles vs. ownership of resources (Phase 1 note)

In the current release, every API key, prompt, conversation, and credit balance is still personally owned — the team layer is the workspace that wraps members together. A future release (Phase 2) will introduce team-scoped API keys, team credit balances, and per-team usage rollups, all of which use the team_id columns already shipped on the underlying tables.

Audit log

Every action that touches a team — team.create, members.add, invitations.create, invitations.accept, members.change_role, team.update, team.delete — is recorded in the team's audit log. Owners and admins can view it from the Audit tab on the team detail page.

API surface

All team endpoints are under /api/teams. Highlights:

POST   /api/teams                                 # create
GET    /api/teams                                 # list my teams
GET    /api/teams/{id}                            # detail
PATCH  /api/teams/{id}                            # rename
DELETE /api/teams/{id}                            # soft-delete

GET    /api/teams/{id}/members
POST   /api/teams/{id}/members                    # add by user_id
PATCH  /api/teams/{id}/members/{user_id}          # change role
DELETE /api/teams/{id}/members/{user_id}          # remove / self-leave

POST   /api/teams/{id}/invitations                # invite by email
GET    /api/teams/{id}/invitations                # list pending
POST   /api/invitations/{token}/accept            # accept (by invitee)

GET    /api/teams/{id}/audit                      # recent audit entries

All endpoints use the standard PrivateRouter auth — JWT bearer token, same as every other dashboard route.

Roadmap

  • Phase 2 — switch API key auth to prefer the active team's credit balance when an API key is team-scoped.
  • Team Bitcoin top-ups — credits paid via the native BTC module land on the team's balance, not the individual.
  • Per-team Usage page — leaderboard-style breakdown of which member is burning credits where.
  • SSO / SCIM — for enterprise team provisioning.