Console: Team & Roles
Team members
Section titled “Team members”
Each tenant has a team of users. The person who created the tenant is the owner with full permissions.
Inviting members
Section titled “Inviting members”Click Invite member, enter their email, and select a role. They’ll receive an invitation link to join your tenant.
Members can belong to multiple tenants and switch between them.
Built-in roles
Section titled “Built-in roles”| Role | What they can do |
|---|---|
| Owner | Everything — billing, team management, all operations. One per tenant. |
| Admin | Manage members, roles, API keys, webhooks. All operations except deleting the tenant. |
| Member | Issue, verify, and revoke credentials. Create DIDs. Run compliance reports. No team management. |
| Viewer | Read-only access — view credentials, DIDs, compliance reports, usage. Cannot issue or modify. |
| API-only | Programmatic operations — issue, verify, revoke, DIDComm. No team management or billing. Designed for backend integrations. |
Choosing a role
Section titled “Choosing a role”- Admin — for co-admins who need to manage the team
- Member — for day-to-day credential operations
- Viewer — for auditors or stakeholders who need visibility
- API-only — for service accounts or backend integrations
Custom roles
Section titled “Custom roles”On the Roles page (requires roles:manage permission), you can create
custom roles with specific permissions. For example:
- Auditor —
compliance:report,compliance:audit,credentials:list - Issuer —
credentials:issue,credentials:list,dids:list - DIDComm operator —
didcomm:send,didcomm:receive
All permissions
Section titled “All permissions”| Permission | Description |
|---|---|
tenant:manage | Manage tenant settings, billing, custom domains |
tenant:delete | Delete the tenant (owner only) |
members:invite | Invite new team members |
members:remove | Remove team members |
members:update_role | Change a member’s role |
roles:manage | Create and edit custom roles |
api_keys:create | Create API keys |
api_keys:revoke | Revoke API keys |
credentials:issue | Issue credentials |
credentials:verify | Verify credentials |
credentials:revoke | Revoke credentials |
credentials:list | List and view credentials |
dids:create | Create DIDs |
dids:list | List and resolve DIDs |
dids:deactivate | Deactivate DIDs |
didcomm:send | Send DIDComm messages |
didcomm:receive | Receive DIDComm messages |
compliance:report | Generate compliance reports |
compliance:consent | Manage consent records |
compliance:audit | Query audit trail |
trust:attest | Add trust attestations, create delegations |
trust:query | Query trust scores, verify delegations |
webhooks:manage | Manage webhooks |
usage:view | View usage and billing |
See the Team & RBAC API reference for programmatic usage.
See also
Section titled “See also”- Security Model concept — RBAC architecture
- Team & RBAC API — programmatic team management