Set up your team
Register (open), get your auto-created company, then invite members and assign roles — all company-scoped, so a teammate only ever sees your company's data.
Registration is open and auto-creates a company. From there you invite teammates and give each a role. Everything stays company-scoped: a member only ever sees your company's templates, connectors, runs, and audit trail.
Register — your company is created for you
curl -s -X POST "$API/auth/register" \
-H "Content-Type: application/json" \
-d '{
"email": "jane.doe@acme-health.com",
"password": "<your-password>",
"company_name": "Acme Health"
}'- Registration is open — anyone can sign up. The response returns a JWT plus the
auto-created
company. company_nameis optional; when empty it defaults to"<your name>'s Company".- You become the company's owner (an active
ownermembership) from day one.
Personal-email domains (gmail, outlook, …) are accepted under open registration. They are only blocked when the closed-beta whitelist gate is enabled — see Authentication.
Invite a member
Invite a teammate by email against your company id. This upserts a pending membership
and returns an invitation token you can share:
curl -s -X POST "$API/companies/$COMPANY_ID/members" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"email": "ops.analyst@acme-health.com",
"role": "member"
}'The invitee claims the invite by registering with the same email (a shadow-user claim flow), then accepting the membership.
Roles
A company has five roles. The owner is set at company creation (one per company); the other four are assignable via invite or a role change:
| Role | Typical use |
|---|---|
owner | The company creator. One per company; not assignable via invite. |
admin | Manage the team, invite members, change roles. |
manager | Sign gates, run processes, manage day-to-day operations. |
member | Configure connectors, start runs, resume gates. |
viewer | Read-only access. |
Change a member's role:
curl -s -X PATCH "$API/companies/$COMPANY_ID/members/$USER_ID" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{ "role": "manager" }'Assignable roles are admin, manager, member, viewer — owner is excluded (it is
set only at company creation or via ownership transfer). List or remove members:
# who's in my company
curl -s "$API/companies/$COMPANY_ID/members" -H "Authorization: Bearer $TOKEN"
# soft-remove a member
curl -s -X DELETE "$API/companies/$COMPANY_ID/members/$USER_ID" \
-H "Authorization: Bearer $TOKEN"Company-scoped isolation
Roles govern what a user can do within their company — they never widen the tenant
boundary. There is no cross-company read: a request that would reach another company's
data returns 404, not someone else's row. See Multi-tenancy
for the full isolation model.