Appearance
Team & roles
MicroApps accounts are not single-player. You can invite other people, and control what each of them can do with roles.
Owner and members
- The Owner is whoever created the account. There is exactly one, and they can do everything. No permissions to configure, no role to assign - it is implicit.
- Everyone you invite is a Member. A member can do exactly what their assigned role allows, and nothing else.
If you are a solo builder, you are the Owner and you will never think about any of this. It is here for when you are not solo.
Roles bundle permissions
A role is a named set of permissions - small resource:action grants like pods:read or billing:pay. Instead of ticking dozens of boxes per person, you build a role once ("Deployer", "Support handler", "Read-only auditor") and assign it.
Roles apply in two places:
- Members - each member has one role that defines their access.
- API keys - a key carries a set of permissions too, drawn from what its creator can do. Same permission model, different kind of credential.
System roles
Every account comes with four ready-made roles you can assign right away:
| Role | For |
|---|---|
| Full access | A trusted teammate who can do everything except manage the team, roles, and account settings. |
| Developer | Someone who ships: full control of pods, networking, domains, snapshots, and backups, plus read-only email and activity log. |
| Read-only | Auditors, stakeholders, anyone who should look but not touch. |
| Billing | The person who handles money and invoices, and not much else. |
These four are read-only - you can assign them but not edit them. When they do not fit, create your own custom role with exactly the permissions you want.
Sensitive actions
Most permissions are routine. A few deserve a second thought before you hand them out:
- Open a pod shell (
pods:console) - full terminal access inside a pod. - Manage SSL (
domains:ssl) - issue and change certificates for your domains. - Pay (
billing:pay) - top up credit, which means spending money.
Keep these on the roles that genuinely need them.
See also
- Team & roles API - the endpoints, the full permission catalogue, and the exact grants in each system role.
- Team & roles guide - a walkthrough from the console.
- API keys - how automation credentials inherit these same permissions.