Members and roles

Invite team members to the WorkOS dashboard, manage invitations, and assign roles.

Members

The members page lists everyone on your team, along with their role, multi-factor authentication (MFA) status, and when they were last active. You can search by name or email, and filter by role or invitation status.

All members can view the list. Inviting, removing, and changing members requires the Admin role.

Invite a team member

Admins can invite new members with the Invite team member button. An invitation needs:

Email address: where the invitation is sent.
Role: the role the member will have when they join.
First and last name: optional.

A user can only belong to one team. If the email address already belongs to a member of your team – or of another team – the invitation is rejected with an error.

Invitation lifecycle

The invited user receives an email with a link to join your team. Until they accept, they appear in the members list with an Invite pending badge.

Invitations expire after 7 days. Expired invitations show an Invite expired badge, and admins can send a fresh invitation with the Resend invitation action in the member’s row menu. Resending is only available once the original invitation has expired.

Rescind an invitation

To rescind an invitation before it is accepted, use the Revoke access action in the invited member’s row menu. This removes the pending membership; the invitation link no longer grants access. You can invite the same person again later.

Remove a member

Admins can remove an active member with the Revoke access action in the member’s row menu. The dialog asks you to type the member’s email address to confirm. Removal takes effect immediately, and the member must be invited again to restore access.

Members provisioned through directory provisioning can’t be removed from the dashboard – their access is managed by your identity provider. Remove them from the synced directory instead.

Change a member’s role

Admins can change a member’s role with the Change role action in the member’s row menu.

If the member is managed by directory provisioning and belongs to an identity provider group mapped to a role, the change may be overridden on the next directory sync.

Reset a member’s MFA

If a member loses access to their authenticator, an admin can clear their enrollment with the Reset multi-factor authentication action in the member’s row menu. The member is prompted to enroll again at their next sign-in if your team requires MFA.

Roles

Every member has one of five roles:

Role	Description
Admin	Can invite, configure environments, and manage resources
Developer	Can configure environments and manage resources
Sandbox Developer	Can manage staging environments, read-only in production
Support	Can only manage users and organizations
Support Viewer	Read-only access to users and organizations

Read-only roles

Sandbox Developer and Support Viewer are read-only variants of Developer and Support:

Sandbox Developer sees the same parts of the dashboard as a Developer and can make changes in staging environments, but is read-only in production. Use it for engineers who need to build and test against WorkOS without the ability to change production configuration.
Support Viewer sees the same parts of the dashboard as Support, but can’t make any changes. Use it for support staff who need to look up users and organizations without modifying them.

A read-only role never has access to anything its base role lacks – it is strictly a more restrictive version of the same role.

What each role can do

Full accessFull access

Full access in staging, read-only in productionFull access in staging, read-only in production

Read-only accessRead-only access

No accessNo access

Action	Admin	Developer	Sandbox Developer	Support	Support Viewer
Manage team authentication	Full access	No access	No access	No access	No access
Manage team details	Full access	Read-only access	Read-only access	Read-only access	Read-only access
Manage team members	Full access	Read-only access	Read-only access	Read-only access	Read-only access
Manage team billing	Full access	Full access	Read-only access	No access	No access
Manage API keys	Full access	Full access	Full access in staging, read-only in production	No access	No access
Manage roles	Full access	Full access	Full access in staging, read-only in production	No access	No access
Manage environment features	Full access	Full access	Full access in staging, read-only in production	No access	No access
Impersonate sessions *	Full access	Full access	Full access in staging, read-only in production	Full access	No access
Manage users and organizations	Full access	Full access	Full access in staging, read-only in production	Full access	Read-only access
Manage connections and directories	Full access	Full access	Full access in staging, read-only in production	Full access	Read-only access

* Sandbox Developers can impersonate sessions in staging environments only. There is no read-only equivalent in production.

Your team always needs at least one Admin. If your members are provisioned from a directory, keep at least one user in a group mapped to the Admin role to avoid losing admin access.

BillingManage your payment method and billing email, view invoices, and track usage in the WorkOS dashboard

Up next