Skip to main content
Configure workspace structure, roles, member access, security policies, encryption keys, and environment variables. The Workspace and Team settings are your control center for access, security, and runtime configuration. From here you manage who can do what, how data is protected, and what values agents use at runtime.
  • Navigation: Settings > Team
  • Required role: Owner or Admin

Workspace Structure

The Agent Platform organizes resources across three levels. You don’t need all three - start with a workspace, add projects as your work grows, and only set up an organization if you need to manage multiple workspaces together. What the workspace controls:
  • Who has access and what they can do (team membership and roles).
  • Which AI models and providers are available (LLM policies, token budgets, rate limits).
  • Which features are unlocked (based on your plan tier).
What projects add:
  • Project members are drawn from workspace members and carry project-specific roles.
  • Environment variables and secrets can be scoped per project and per environment (development, staging, production).

Roles and Permissions

The platform uses hierarchical role-based access control (RBAC). Each role inherits all permissions from the roles below it.

Workspace Roles

Project Roles

How workspace and project roles interact:
  • Workspace Owners and Admins have workspace-wide authority and can administer all projects without explicit project membership.
  • Non-admin workspace members need explicit project membership for project-scoped access.
  • When a workspace member creates a project, they automatically become that project’s Admin and can add other workspace members from Settings > Members.

Managing Members

Only workspace Owners and Admins can manage team membership.

View Current Members

Go to Settings > Team > Members. The list shows name and email, workspace role, status (active, suspended, locked, or deactivated), and date joined.

Invite a Member

  1. Click Invite member.
  2. Enter the invitee’s email address.
  3. Select a role: Admin, Operator, Member, or Viewer.
  4. Click Send invite.
The invitee receives an email with a unique link that includes the workspace name and their assigned role. Invitations expire after 7 days and are cleaned up automatically. Manage pending invitations from the Pending Invitations section on the Members page:
If a member reports not receiving the invitation email, check the pending list and resend - you don’t need to revoke first.

Change a Member’s Role

  1. Find the member in the Members list.
  2. Click the role dropdown next to their name.
  3. Select the new role and confirm.
Role changes take effect immediately - permissions update on the member’s next page load or API call. Platform-enforced role hierarchy rules:
  • You can’t assign a role higher than your own. An Admin can’t promote a member to Owner.
  • Only the workspace Owner can promote a member to Admin.
  • Only the workspace Owner can transfer ownership.
  • You can’t demote yourself - ask another Owner or Admin to change your role.

Remove a Member

  1. Find the member in the Members list.
  2. Click the three-dot menu next to their row.
  3. Select Remove member and confirm.
What happens when a member is removed:
  • They lose access to all workspace resources immediately.
  • Their project memberships within this workspace are removed.
  • Resources they created (agents, knowledge bases) remain in the workspace.
  • Active sessions they initiated continue running, but they can’t start new ones.
Removing a member doesn’t delete their Agent Platform account. They can still access other workspaces they belong to.

Transfer Workspace Ownership

Only the current workspace Owner can transfer ownership.
  1. Go to Settings > Team > Members.
  2. Click the three-dot menu next to the target member.
  3. Select Transfer ownership and confirm by typing the workspace name.
After the transfer, the previous Owner is demoted to Admin, and the new Owner gains full control, including the ability to delete the workspace.

Custom Roles

Workspace Owners and Admins can define custom roles with granular permissions beyond the built-in set. Custom roles are tenant-scoped and managed from Settings > Team > Custom Roles.

Create a Custom Role

  1. Enter a role name and optional description.
  2. Select the required permissions.
  3. Click Create.
Role assignment:
  • Built-in roles are managed on the Members page.
  • Custom project roles are governed through the Custom Project Roles flow.

Security and Compliance

Go to Team > Security & Compliance to manage authentication and access controls. The page has three tabs: MFA, SSO, and Audit Logs. Required role: Owner or Admin.

Multi-factor Authentication (MFA)

MFA adds a verification step using a time-based one-time password (TOTP). Enable MFA for your account: Go to Team > Security & Compliance, click Enable MFA, complete the authenticator app setup, enter the verification code, and click Verify & Enable. Recovery codes are generated during MFA setup and let you access your account if you lose your authenticator app:
  • Each code can only be used once.
  • Store them securely.
  • Regenerating codes invalidates all previously issued codes.
Enforce MFA for the workspace: From the MFA tab, enable Require MFA for all members and select a grace period. When enforced:
  • New members must configure MFA before accessing the workspace.
  • Existing members must complete MFA setup within the grace period.
  • Members who don’t complete setup are locked out until MFA is configured.

Single Sign-on (SSO)

SSO lets users authenticate using an external identity provider (IdP). Plan requirement: Enterprise plan only. Generated SSO URLs The platform automatically generates these endpoints; there is no action to create or edit them manually. Use the URLs when configuring your identity provider’s SAML/OIDC application settings. Auto-generated SSO URLs are created automatically and aren’t user-configurable. Only organization owners or admins can view and use these URLs to configure SSO. Admins can select Refresh to reload the current URL values, but this doesn’t regenerate or change them. Supported protocols:
  • SAML 2.0 - Supports Okta, Azure AD, and OneLogin.
  • OpenID Connect (OIDC) - Supports Auth0 and Keycloak.
Set up SAML SSO: Go to Team > Security & Compliance > SSO, select SAML 2.0, enter the required configuration details, and click Save Configuration. Set up OIDC SSO: Go to Team > Security & Compliance > SSO, select OpenID Connect, enter the required configuration details, and click Save Configuration. Domain verification: Use the Domain Verification section in the SSO tab to claim and verify your organization’s email domain before enforcing SSO. Force SSO: Enable Force SSO from the SSO tab to require users with verified domain email addresses to authenticate through SSO. When enabled:
  • Password-based login is disabled for verified domain users.
  • Users outside the verified domain are unaffected.
  • Workspace Owners retain password-based login as a fallback.
Google authentication fallback: Enable Allow Google fallback to let users sign in with Google if the configured SSO provider is unavailable.

Audit Logs

Audit logs give you a tenant-scoped, filterable record of all significant workspace actions. Use them to investigate incidents, verify compliance, and review team activity.
  • Navigation: Settings > Team > Audit Logs
  • Required role: Owner or Admin
  • Export: Available on Professional and Enterprise plans
Use Refresh to reload the log. Use Export CSV to download the current filtered view. Use the filter bar to narrow results by search text, date range, action type, preset, or category.

Summary Metrics

Event Categories

Log Table Columns

Retention

  • Follows the workspace retention policy.
  • Professional and Enterprise plans: at least 90 days.
  • Contact support for extended retention.

Key Management

The Key Management Service (KMS) lets you control the encryption keys used to protect sensitive workspace data. Instead of relying on platform-managed keys, you can provide your own key material from a supported cloud provider.
  • Navigation: Settings > Team > Key Management
  • Required role: Owner
  • Plan requirement: Enterprise plan only
Key Management page

Encryption Architecture

The platform uses envelope encryption: a Key Encryption Key (KEK) from your provider wraps versioned Data Encryption Keys (DEKs). The KMS page is organized into five tabs: Configuration, Scopes, Encryption Keys, Health, and Audit Log.

Configuration

The Configuration tab shows the active KMS setup and lets you manage provider and encryption policies. Supported KMS providers: Failure policy: Rotation and re-encryption settings: Key rotation can happen automatically (if the provider supports scheduled rotation) or manually, by creating a new key version on demand from the Encryption Keys tab. Re-encryption also includes Concurrency (parallel jobs), Batch Size (records per batch), and Max Retries (retry attempts for failed jobs). Click Save Configuration to apply.

Scopes

The Scopes tab lets you configure KMS overrides for specific environments and projects. Overrides follow this precedence: Platform default > Tenant default > Tenant environment > Project default > Project environment The most specific override always takes precedence. Use the Effective Scope Preview to inspect the resolved provider for a selected project or environment. It shows the full inheritance chain - each level marked as Active or overridden. Use Save Override, Reset Form, or Clear Override to manage scoped overrides.

Encryption Keys

The Encryption Keys tab shows active and retired DEKs across scopes. DEK inventory summary: Active DEKs can rotate; retired DEKs remain decrypt-capable as long as existing ciphertext still references them, which is why they appear as Decrypt-Only instead of being removed immediately. Filter the inventory by status (Active, Decrypt-Only, or Destroyed), project, or environment. Use Rotate Keys to manually trigger DEK rotation for the current scope.
Don’t destroy a key version in your cloud provider until all data has been re-encrypted with the new version. Destroying active key versions may result in permanent data loss.

Health

The Health tab shows operational status and encryption metrics for the configured KMS provider. Click Refresh Health to reload. When provider connectivity fails:
  • Fail Closed - Encryption and decryption operations stop until recovery.
  • Graceful Degradation - The platform continues operating using cached DEKs already in memory, without contacting the KEK provider.

KMS Audit Log

The Audit Log tab in Key Management shows tenant-scoped KMS activity: configuration changes, rotations, validations, and failures. Filter by operation type, result, or date range.
KMS audit log retention follows the workspace data retention policy. Professional and Enterprise plans retain logs for at least 90 days.

Environment Variables

Environment variables are key-value pairs scoped to a project and environment. At runtime, agents resolve {{env.KEY}} placeholders in tool configs and parameters to the matching value.
  • Navigation: Settings > Team > Env Variables
  • Required role: Owner, Admin, or Operator

Variable Types

Environment Tabs

The page shows four tabs: Global, Dev, Staging, and Production. Each tab shows its variable count.
Global variables are available in all environments. An environment-specific variable with the same key takes priority over the global variable.
Toolbar actions: Filter keys, Refresh, Diff, Namespaces, All Variables, Export, Import, Add Variable.

Add a Variable

  1. Go to Settings > Team > Env Variables.
  2. Select the target project from the dropdown.
  3. Select the target environment tab.
  4. Click Add Variable.
  5. Enter a Key (use UPPER_SNAKE_CASE), Value, and optional Description.
  6. Check Mark as secret if the value is sensitive.
  7. Click Create.
Variables created on the Global tab are available in all environments unless overridden by an environment-specific variable with the same key.

Edit and Delete Variables

  • Edit: Click Edit to update a variable’s value or description. Changes apply immediately.
  • Delete: Click the delete icon and confirm.
Deleting a variable referenced in an agent definition causes runtime errors. Check all references before deleting.

Export Variables

  1. Select the environment tab.
  2. Click Export.
  3. Choose format: JSON (array) or .env (file format).
  4. Click Copy to Clipboard or Download.

Import Variables

  1. Select the environment tab.
  2. Click Import.
  3. Paste JSON in this format:
  4. Check Overwrite existing variables to replace matching keys.
  5. Click Import.
Variables not in the import file remain unchanged. Replicate variables across projects: Environment variables are project-scoped. To replicate them, use Export/Import with the same JSON file. For values shared across all projects, use workspace-level secrets.