RBAC
Role-based access controls govern who can approve, execute, or view operations. The first registered user becomes the admin. Admins manage team members and permissions.
Roles
| Role | Capabilities |
|---|---|
| Admin | Full access. Manage team, integrations, approve and execute operations. |
| Member | Use the agent, approve and execute operations, view conversations. |
Role assignment is managed by the admin. There is no self-service role change.
First User = Admin
The first user to register becomes the admin. This bootstrap ensures someone can always manage the team. Subsequent users are added by the admin.
Team Management
| Action | Who |
|---|---|
| Add member | Admin |
| Update member (role, status) | Admin |
| Remove member | Admin |
| View team list | Admin, Member |
Authentication
| Mechanism | Description |
|---|---|
| JWT | Access tokens for API and Command Center. |
| Refresh token | Rotation on use. Stored securely. |
| Session | Tied to refresh token lifecycle. |
Credentials are not stored in plain text. Passwords are hashed. Tokens are signed and validated.
SSO (Team Plan)
SAML 2.0 and OIDC are available in the Team plan. Integrate with your identity provider (Okta, Auth0, Azure AD, Google Workspace). SSO users are provisioned with roles by the admin.
Permissions Matrix
| Action | Admin | Member |
|---|---|---|
| Approve mutating operations | Yes | Yes |
| Execute (after approval) | Yes | Yes |
| View conversations and audit trail | Yes | Yes |
| Add/remove team members | Yes | No |
| Configure integrations | Yes | No |