Team RBAC
Wrapd teams use role-based access control (RBAC) to manage what each team member can do. All resources — endpoints, agents, secrets, pipelines, API keys — belong to the team owner. Members access them based on their assigned role.
| Role | Description |
|---|---|
| Owner | Full control over all resources, billing, and team management |
| Admin | Same as owner, except cannot manage billing or transfer ownership |
| Member | Can view and execute endpoints/pipelines, create their own API keys |
Permission matrix
Section titled “Permission matrix”| Resource | Owner | Admin | Member |
|---|---|---|---|
| Endpoints | Create, read, update, delete | Create, read, update, delete | Execute only |
| Agents | Full management | Full management | View status |
| Secrets | Full management | Full management | No access |
| Pipelines | Create, read, update, delete | Create, read, update, delete | Execute only |
| API Keys | Full management | Full management | Own keys only |
| Audit Logs | View all | View all | View own actions |
| Billing | Full management | View only | No access |
| Alerts | Full management | Full management | View only |
| Tunnels | Open and close | Open and close | View only |
| SSO | Configure | Configure | No access |
How it works
Section titled “How it works”When a user logs in, the API resolves their team context automatically:
- Solo users (not in a team): full owner access to their own resources
- Team owners: full access, all resources belong to them
- Team members: access the owner’s resources filtered by role permissions
This means:
- A member sees the same endpoint list as the owner — they just can’t edit them
- When a member creates an API key, it’s scoped to the team owner’s resources but tracked as created by the member
- Audit logs record both the resource owner and the person who performed the action
API keys for members
Section titled “API keys for members”Members can create their own API keys to execute endpoints. These keys:
- Are tied to the team owner’s account (they can execute the owner’s endpoints)
- Are tracked via
created_by— the owner/admin can see who created each key - Are automatically revoked when the member is removed from the team
Members can only see, rotate, and revoke keys they created themselves. Owners and admins can manage all keys.
Dashboard behavior
Section titled “Dashboard behavior”The dashboard automatically adapts based on the user’s role:
- Create/Edit/Delete buttons are hidden for members where they lack permission
- Secrets page is hidden from the sidebar for members
- Billing page hides upgrade buttons for non-owners
- All restrictions are enforced server-side — the UI changes are cosmetic safety nets
Inviting members
Section titled “Inviting members”Team owners and admins can invite members via email:
- Go to Dashboard → Team
- Click Invite member
- Enter their email and select a role (admin or member)
- They’ll receive an email with a join link (expires in 7 days)
Tier inheritance
Section titled “Tier inheritance”Team members inherit the team owner’s plan tier for feature access. If the owner is on Team plan, all members get Team-tier features (MCP, Slack, scheduled endpoints, etc.) without their own subscription.