Docs · Account · Roles
Roles & permissions
Projects have four roles. New invitees join as Viewer by default; the project owner upgrades them.
Permission matrix
| Role | Can | Cannot |
|---|---|---|
| Owner | Everything, including delete project and change billing. | — |
| Admin | Manage members, rules, keys, webhooks. Read all checks and users. | Delete project, change billing. |
| Member | Create and edit rules, manage keys, view all checks. | Manage members or billing. |
| Viewer | Read-only access to checks, users, rules. | Create, edit, or delete anything. |
Enforcement
Roles are enforced at the API layer. Mutation endpoints return 403 with error.code = "viewer_readonly" when the role doesn't permit the action. In the dashboard, mutation controls are hidden (not just disabled) for viewers.