Members and roles
Invite team members to the WorkOS dashboard, manage invitations, and assign roles.
The members page lists everyone on your team, along with their role, multi-factor authentication (MFA) status, and when they were last active. You can search by name or email, and filter by role or invitation status.
All members can view the list. Inviting, removing, and changing members requires the Admin role.
Admins can invite new members with the Invite team member button. An invitation needs:
- Email address: where the invitation is sent.
- Role: the role the member will have when they join.
- First and last name: optional.
A user can only belong to one team. If the email address already belongs to a member of your team – or of another team – the invitation is rejected with an error.
The invited user receives an email with a link to join your team. Until they accept, they appear in the members list with an Invite pending badge.
Invitations expire after 7 days. Expired invitations show an Invite expired badge, and admins can send a fresh invitation with the Resend invitation action in the member’s row menu. Resending is only available once the original invitation has expired.
To rescind an invitation before it is accepted, use the Revoke access action in the invited member’s row menu. This removes the pending membership; the invitation link no longer grants access. You can invite the same person again later.
Admins can remove an active member with the Revoke access action in the member’s row menu. The dialog asks you to type the member’s email address to confirm. Removal takes effect immediately, and the member must be invited again to restore access.
Members provisioned through directory provisioning can’t be removed from the dashboard – their access is managed by your identity provider. Remove them from the synced directory instead.
Admins can change a member’s role with the Change role action in the member’s row menu.
If the member is managed by directory provisioning and belongs to an identity provider group mapped to a role, the change may be overridden on the next directory sync.
If a member loses access to their authenticator, an admin can clear their enrollment with the Reset multi-factor authentication action in the member’s row menu. The member is prompted to enroll again at their next sign-in if your team requires MFA.
Every member has one of five roles:
| Role | Description |
|---|---|
| Admin | Can invite, configure environments, and manage resources |
| Developer | Can configure environments and manage resources |
| Sandbox Developer | Can manage staging environments, read-only in production |
| Support | Can only manage users and organizations |
| Support Viewer | Read-only access to users and organizations |
Sandbox Developer and Support Viewer are read-only variants of Developer and Support:
- Sandbox Developer sees the same parts of the dashboard as a Developer and can make changes in staging environments, but is read-only in production. Use it for engineers who need to build and test against WorkOS without the ability to change production configuration.
- Support Viewer sees the same parts of the dashboard as Support, but can’t make any changes. Use it for support staff who need to look up users and organizations without modifying them.
A read-only role never has access to anything its base role lacks – it is strictly a more restrictive version of the same role.
Your team always needs at least one Admin. If your members are provisioned from a directory, keep at least one user in a group mapped to the Admin role to avoid losing admin access.