Access Control

Multi-tenant authentication with organizations, team management, and fine-grained project permissions

The Inkeep Agent Framework provides two layers of access control:

Layer	What it does
Authentication	Users sign in, belong to organizations, manage teams
Authorization	Fine-grained project-level roles and permissions

Authentication handles user sign-in and organization membership. Authorization adds granular control over who can do what within each project.

Note

For deployment configuration including OAuth providers, see Authentication Setup.

Method	Description
Email & Password	Default sign-in with email and password credentials
Google	OAuth sign-in (requires configuration)

To add Google sign-in, see Adding OAuth Providers.

Organizations & Team Management

Each organization operates as an isolated tenant:

Separate workspaces: Each organization has its own projects, agents, MCP servers, and credentials
Team collaboration: Multiple users can belong to the same organization
Role-based access: Team members have different permission levels

Organization Roles

Role	Permissions
Admin	Full access to all projects and settings, can add members
Member	Access determined by project-level roles

Inviting Team Members

Go to Settings in the left sidebar
View current members and their roles
Click Invite to invite a new team member
Enter the member's email and select a role (Admin or Member)
Click Send Invitation

If email is enabled for your tenant, the invited user receives a branded email with a link to accept the invitation and set up their account. The invitation expires after 7 days.

If email is not configured, the invitation link is displayed directly in the UI — copy and share it manually with the team member.

Tip

For self-hosted deployments, email requires SMTP configuration. See Configure Email for setup instructions.

Password Reset

If email is enabled for your tenant, users can reset their password through a self-service flow:

On the sign-in page, click Forgot password?
Enter the email address associated with your account
Check your inbox for a password reset link
Click the link and set a new password

The reset link expires after 30 minutes. If you don't receive the email, check your spam folder.

If email is not configured for your tenant, contact your organization administrator to reset your password.

Project Roles & Permissions

Assign granular roles at the project level to give organization Members specific access to individual projects.

Role Hierarchy

Role	View	Use	Edit
Project Admin	✓	✓	✓
Project Member	✓	✓	✗
Project Viewer	✓	✗	✗

Permission Breakdown

Permission	What it allows
View	See project configuration, agents, and settings (read-only)
Use	Invoke agents, create API keys, view traces
Edit	Modify agents, tools, credentials, project settings, and evaluations (datasets, evaluators, configs)

Managing Project Members

Navigate to your project
Go to Members
Search for members by email and select one or more to add
Choose a role for the selected members and click Add

Tip

Organization Admins always have full access to all projects, regardless of project-level roles.

User-Scoped vs Project-Scoped Resources

Certain resources can be configured with different scopes:

Scope	Description
Project-scoped	Shared across all users in the project
User-scoped	Configured separately for each user

Example: MCP Servers

MCP servers can be configured as either project-scoped or user-scoped:

Use Case	Recommended Scope
Shared company tools (internal APIs, databases)	Project-scoped
Personal integrations (user's Slack, GitHub, email)	User-scoped
Services requiring per-user authorization	User-scoped
Tools where data should be separated by user	User-scoped

Tip

You only configure a user-scoped MCP server once. Each user sees the same server but connects with their own credentials. The framework automatically manages the per-user authentication.

To select the scope, go to MCP Servers → create a server → select the scope.

See MCP Servers for more details.

On this page