Minctrl Docs
Guides

Set up your team

Register (open), get your auto-created company, then invite members and assign roles — all company-scoped, so a teammate only ever sees your company's data.

Registration is open and auto-creates a company. From there you invite teammates and give each a role. Everything stays company-scoped: a member only ever sees your company's templates, connectors, runs, and audit trail.

Register — your company is created for you

curl -s -X POST "$API/auth/register" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "jane.doe@acme-health.com",
    "password": "<your-password>",
    "company_name": "Acme Health"
  }'
  • Registration is open — anyone can sign up. The response returns a JWT plus the auto-created company.
  • company_name is optional; when empty it defaults to "<your name>'s Company".
  • You become the company's owner (an active owner membership) from day one.

Personal-email domains (gmail, outlook, …) are accepted under open registration. They are only blocked when the closed-beta whitelist gate is enabled — see Authentication.

Invite a member

Invite a teammate by email against your company id. This upserts a pending membership and returns an invitation token you can share:

curl -s -X POST "$API/companies/$COMPANY_ID/members" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "ops.analyst@acme-health.com",
    "role": "member"
  }'

The invitee claims the invite by registering with the same email (a shadow-user claim flow), then accepting the membership.

Roles

A company has five roles. The owner is set at company creation (one per company); the other four are assignable via invite or a role change:

RoleTypical use
ownerThe company creator. One per company; not assignable via invite.
adminManage the team, invite members, change roles.
managerSign gates, run processes, manage day-to-day operations.
memberConfigure connectors, start runs, resume gates.
viewerRead-only access.

Change a member's role:

curl -s -X PATCH "$API/companies/$COMPANY_ID/members/$USER_ID" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "role": "manager" }'

Assignable roles are admin, manager, member, viewerowner is excluded (it is set only at company creation or via ownership transfer). List or remove members:

# who's in my company
curl -s "$API/companies/$COMPANY_ID/members" -H "Authorization: Bearer $TOKEN"

# soft-remove a member
curl -s -X DELETE "$API/companies/$COMPANY_ID/members/$USER_ID" \
  -H "Authorization: Bearer $TOKEN"

Company-scoped isolation

Roles govern what a user can do within their company — they never widen the tenant boundary. There is no cross-company read: a request that would reach another company's data returns 404, not someone else's row. See Multi-tenancy for the full isolation model.

On this page