Skip to content

Team & roles

MicroApps accounts are not single-player. You can invite other people, and control what each of them can do with roles.

Owner and members

  • The Owner is whoever created the account. There is exactly one, and they can do everything. No permissions to configure, no role to assign - it is implicit.
  • Everyone you invite is a Member. A member can do exactly what their assigned role allows, and nothing else.

If you are a solo builder, you are the Owner and you will never think about any of this. It is here for when you are not solo.

Roles bundle permissions

A role is a named set of permissions - small resource:action grants like pods:read or billing:pay. Instead of ticking dozens of boxes per person, you build a role once ("Deployer", "Support handler", "Read-only auditor") and assign it.

Roles apply in two places:

  • Members - each member has one role that defines their access.
  • API keys - a key carries a set of permissions too, drawn from what its creator can do. Same permission model, different kind of credential.

System roles

Every account comes with four ready-made roles you can assign right away:

RoleFor
Full accessA trusted teammate who can do everything except manage the team, roles, and account settings.
DeveloperSomeone who ships: full control of pods, networking, domains, snapshots, and backups, plus read-only email and activity log.
Read-onlyAuditors, stakeholders, anyone who should look but not touch.
BillingThe person who handles money and invoices, and not much else.

These four are read-only - you can assign them but not edit them. When they do not fit, create your own custom role with exactly the permissions you want.

Sensitive actions

Most permissions are routine. A few deserve a second thought before you hand them out:

  • Open a pod shell (pods:console) - full terminal access inside a pod.
  • Manage SSL (domains:ssl) - issue and change certificates for your domains.
  • Pay (billing:pay) - top up credit, which means spending money.

Keep these on the roles that genuinely need them.

See also

  • Team & roles API - the endpoints, the full permission catalogue, and the exact grants in each system role.
  • Team & roles guide - a walkthrough from the console.
  • API keys - how automation credentials inherit these same permissions.

Built for the long tail.