Roles & Permissions
The six team roles, what each can do, and how protected environments change secret access.
Every team member has exactly one role. Roles control three things: secret access (read/write, per environment), team management (members, settings, API tokens), and billing. Use this page to pick the least-privileged role that covers what a member needs.
The Six Roles
| Role | Summary |
|---|---|
| Owner | Full access including team deletion and ownership transfer |
| Admin | Full access to secrets, environments, and team management |
| Developer | Read/write secrets in non-protected environments, read-only in protected |
| Operator | Read-only access to all environments including protected |
| Viewer | Read-only access to non-protected environments |
| Billing | Billing management only — no access to secrets |
Permission Matrix
Secrets
| Role | Non-Protected Environments | Protected Environments |
|---|---|---|
| Owner | Read/Write | Read/Write |
| Admin | Read/Write | Read/Write |
| Developer | Read/Write | Read-only |
| Operator | Read-only | Read-only |
| Viewer | Read-only | No access |
| Billing | No access | No access |
“Write” covers creating, updating, deleting, and rotating secrets, plus environment rollback.
Team and Account Management
| Capability | Owner | Admin | Developer | Operator | Viewer | Billing |
|---|---|---|---|---|---|---|
| Manage members, invites, and team settings | Yes | Yes | No | No | No | No |
| Create, rotate, and revoke API tokens | Yes | Yes | No | No | No | No |
| Manage billing (checkout, portal, billing email) | Yes | Yes | No | No | No | Yes |
| Transfer team ownership | Yes | No | No | No | No | No |
| Delete the team | Yes | No | No | No | No | No |
Protected Environments
Any environment can be marked protected in its settings. In a newly created project, production is protected by default.
Protection restricts writes to owners and admins and narrows read access:
- Developer — keeps read access, loses write access
- Operator — read access everywhere is unchanged (already read-only)
- Viewer — loses access entirely (protected environments are hidden)
Use protection for any environment where an accidental change has production impact.
Assigning Roles
- Roles are assigned when inviting a member and can be changed later from the team page by an owner or admin
- The default role for a new invite is developer
- Owner is not assignable. Every team has exactly one owner — the assignable roles are admin, developer, operator, viewer, and billing
Ownership Transfer
The owner can transfer ownership to another member from the team settings. After the transfer, the previous owner becomes an admin, and the change is recorded in the audit log as a team.ownership_transferred event.
Deactivated Members
A deactivated member keeps their role but loses all access — secret reads and writes, team management, and billing — until reactivated. Deactivation and reactivation are recorded in the audit log.
API Tokens Are Not Role-Scoped
API tokens do not carry a member role. A token grants read/write access to the secrets of its team, optionally narrowed to specific projects and environments. Only owners and admins can create or manage tokens.