Roles
| Role | Can do | Cannot do |
|---|---|---|
| OWNER | Everything — billing, role changes, member removal, branding | — |
| ADMIN | Invite/revoke members, manage automations, API keys, settings | Change billing plan, demote/remove the OWNER |
| MEMBER | Create + edit workflows, automations, templates, contacts | Invite members, manage API keys, change settings |
| VIEWER | Read-only across the workspace | Edit anything |
Invitations
ADMIN or OWNER opens Members → Invite, enters the invitee's email + role, and shares the resulting URL. The invite token lasts 14 days; when the invitee clicks the link they set their name + password, which creates a User + boundMembership in one transaction.
Seat caps
Plan caps include pending invitations so a Growth workspace at 10/10 can't queue an 11th. Revoke an unused invite to free the seat immediately.
Last-OWNER protection
You can't demote or remove the last OWNER. Promote another member to OWNER first, then change the previous OWNER's role.