Access Control
Copy page
Multi-tenant authentication with organizations, team management, and fine-grained project permissions
The Inkeep Agent Framework provides two layers of access control:
| Layer | What it does |
|---|---|
| Authentication | Users sign in, belong to organizations, manage teams |
| Authorization | Fine-grained project-level roles and permissions |
Authentication handles user sign-in and organization membership. Authorization adds granular control over who can do what within each project.
For deployment configuration including OAuth providers, see Authentication Setup.
Sign-In Methods
| Method | Description |
|---|---|
| Email & Password | Default sign-in with email and password credentials |
| OAuth sign-in (requires configuration) |
To add Google sign-in, see Adding OAuth Providers.
Organizations & Team Management
Each organization operates as an isolated tenant:
- Separate workspaces: Each organization has its own projects, agents, MCP servers, and credentials
- Team collaboration: Multiple users can belong to the same organization
- Role-based access: Team members have different permission levels
Organization Roles
| Role | Permissions |
|---|---|
| Admin | Full access to all projects and settings, can add members |
| Member | Access determined by project-level roles |
Inviting Team Members
- Go to Settings in the left sidebar
- View current members and their roles
- Click Invite to invite a new team member
- Enter the member's email and select a role (Admin or Member)
- Click Send Invitation
If email is enabled for your tenant, the invited user receives a branded email with a link to accept the invitation and set up their account. The invitation expires after 7 days.
If email is not configured, the invitation link is displayed directly in the UI — copy and share it manually with the team member.
For self-hosted deployments, email requires SMTP configuration. See Configure Email for setup instructions.
Password Reset
If email is enabled for your tenant, users can reset their password through a self-service flow:
- On the sign-in page, click Forgot password?
- Enter the email address associated with your account
- Check your inbox for a password reset link
- Click the link and set a new password
The reset link expires after 30 minutes. If you don't receive the email, check your spam folder.
If email is not configured for your tenant, contact your organization administrator to reset your password.
Active Sessions
View every device currently signed in to your account and revoke any session you no longer recognize.
To open the surface:
- Click your avatar in the top-right corner
- Select Profile
- Scroll to the Active sessions section below your profile details
Each row represents one signed-in device and shows:
| Field | What it shows |
|---|---|
| Device | Browser and operating system (e.g., "Safari on macOS"). Falls back to "Unknown device" when the user-agent cannot be parsed. |
| IP address | The IP address recorded when the session was created. Displays "—" when unavailable. |
| Signed in | When the session was first established. |
| Last active | The most recent time the session made an authenticated request. |
| Expires | When the session will be automatically terminated. |
| This device | A badge marks the session you are currently using. It is always pinned to the top of the list. |
Revoking a Single Session
- Click Revoke on any session row
- Confirm in the dialog
- The row disappears from the list and a confirmation toast appears
Revoking your own current session signs you out of the current device and redirects you to the login page.
Revoking All Other Sessions
When you suspect a device has been compromised, use the panic button to terminate every other session in one step.
- Click Revoke all other sessions at the top of the section
- The confirmation dialog displays how many sessions will be terminated
- Confirm to revoke every session except your current one
The button is hidden when only your current session exists.
A revoked session may continue to work for up to 30 seconds on the revoked device. This is the maximum age of the server-side session cache and the lag cannot be reduced without affecting performance.
Every session deletion is recorded in the server logs with the associated user and session identifiers, so administrators can audit revocation events through log search.
Project Roles & Permissions
Assign granular roles at the project level to give organization Members specific access to individual projects.
Role Hierarchy
| Role | View | Use | Edit |
|---|---|---|---|
| Project Admin | ✓ | ✓ | ✓ |
| Project Member | ✓ | ✓ | ✗ |
| Project Viewer | ✓ | ✗ | ✗ |
Permission Breakdown
| Permission | What it allows |
|---|---|
| View | See project configuration, agents, and settings (read-only) |
| Use | Invoke agents, create API keys, view traces |
| Edit | Modify agents, tools, credentials, project settings, and evaluations (test suites, evaluators, configs) |
Managing Project Members
- Navigate to your project
- Go to Members
- Search for members by email and select one or more to add
- Choose a role for the selected members and click Add
Organization Admins always have full access to all projects, regardless of project-level roles.
User-Scoped vs Project-Scoped Resources
Certain resources can be configured with different scopes:
| Scope | Description |
|---|---|
| Project-scoped | Shared across all users in the project |
| User-scoped | Configured separately for each user |
Example: MCP Servers
MCP servers can be configured as either project-scoped or user-scoped:
| Use Case | Recommended Scope |
|---|---|
| Shared company tools (internal APIs, databases) | Project-scoped |
| Personal integrations (user's Slack, GitHub, email) | User-scoped |
| Services requiring per-user authorization | User-scoped |
| Tools where data should be separated by user | User-scoped |
You only configure a user-scoped MCP server once. Each user sees the same server but connects with their own credentials. The framework automatically manages the per-user authentication.
To select the scope, go to MCP Servers → create a server → select the scope.
See MCP Servers for more details.