Workspaces & Teams
A workspace is the top-level organizational unit in RedStick AI. It contains projects, team members, and billing.
Workspace Setup#
Each workspace has:
- Name — Display name for the workspace
- Slug — URL identifier (e.g.,
my-teamin/w/my-team/), immutable after creation - Plan — Free, Pro, Team, or Business (see Billing & Plans)
- MFA enforcement — Owners and admins can require all members to enable multi-factor authentication via Settings > Security (see Workspace Security Settings)
Team Roles#
Every workspace member has one of three roles:
| Role | Description |
|---|---|
| Owner | Full control — billing, team management, all permissions. One owner per workspace. |
| Admin | All permissions except billing. Can manage team members and project settings. |
| Member | Can create and view tasks. Limited project and configuration access by default. |
Default Permission Matrix#
| Permission | Owner | Admin | Member |
|---|---|---|---|
execution:create | Yes | Yes | Yes |
execution:cancel | Yes | Yes | No |
execution:view | Yes | Yes | Yes |
project:create | Yes | Yes | No |
project:delete | Yes | Yes | No |
project:settings | Yes | Yes | No |
The permission matrix is fixed and the same for every workspace. See Permissions for details.
Inviting Team Members#
Owners and admins can invite new members:
- Go to Settings > Team & Billing from the sidebar
- On the Members tab, enter the invitee's email and select a role, then click Invite
- The invitee receives an email invitation valid for 7 days
Note: Owners can invite members or admins. Admins can only invite members.
Invitation Management#
- Resend — Send the invitation email again
- Revoke — Cancel a pending invitation
- Expired invitations must be re-created
Invitations appear in the audit log when sent, accepted, or revoked.
Managing Members#
From Settings > Team & Billing, owners and admins can view all members with their roles and join dates. Role changes and removals are subject to the following restrictions:
- Change roles — Owners can promote or demote admins and members. Admins can only change a member's role to member. Ownership cannot be transferred via the UI.
- Remove members — Owners can remove any non-owner member. Admins can only remove members (not other admins).
Plan requirement: Changing member roles requires a paid plan with the Admin RBAC feature (
has_admin_rbac). On the Free plan the role-change action returns a 402 and prompts an upgrade.
Role changes and member removals are recorded in the audit log.
Workspace Security Settings#
Admins and owners can enforce MFA for all workspace members from Settings > Security in the sidebar. When enforcement is enabled, members who have not yet enrolled in MFA are blocked from accessing the workspace until they complete enrollment.
The Security sidebar link is hidden for members (only admins and owners see it in the navigation), but the /security route itself has no role guard — any authenticated workspace member who navigates to the URL directly can reach the page. The backend enforces admin role only on the write endpoint that saves MFA enforcement changes.
Audit Log#
The workspace audit log tracks security-relevant events:
| Event | Description |
|---|---|
login_success | Successful login |
login_failed | Failed login attempt |
logout | User logout |
signup | New account creation |
password_changed | Password change |
password_reset_requested | Password reset initiated |
password_reset_completed | Password reset completed |
profile_updated | Profile information changed |
email_verified | Email address verified |
invitation_sent | Team invitation sent |
invitation_resent | Invitation resent |
invitation_accepted | Invitation accepted |
invitation_revoked | Invitation revoked |
member_role_changed | Role change |
member_removed | Member removed |
ssh_key_generated | SSH key generated |
ssh_key_imported | SSH key imported |
ssh_key_deleted | SSH key deleted |
impersonation_start | Admin impersonation started |
impersonation_end | Admin impersonation ended |
mfa_enrollment_started | MFA enrollment initiated |
mfa_enrolled | MFA enrollment confirmed |
mfa_disabled | MFA disabled |
mfa_verified | MFA code verified |
mfa_verify_failed | MFA verification failed |
mfa_verify_locked | MFA verification locked out |
mfa_backup_used | MFA backup code used |
mfa_backup_regenerated | MFA backup codes regenerated |
Access the audit log from Settings > Audit Log in the sidebar. This page requires Admin role or higher and is available on paid plans (the menu entry is hidden on the Free plan). Filter by event type using the dropdown at the top of the page.
Tamper Detection#
The audit log is protected by an HMAC chain: each entry is signed using the previous entry's hash, forming a linked integrity chain.
- Verify Integrity — A button always visible at the top of the Audit Log page. Checks the entire HMAC chain and reports any broken or tampered entries.
- Repair Chain — Appears inside the verify result alert only when the chain is found to be invalid. Re-signs the chain from the point of breakage. Use this after deliberate data corrections (e.g., a support-driven database fix) to restore a clean chain.
Both actions are restricted to Admin role or higher.