Teams & User Management

Xerotier.ai uses role-based access control (RBAC) to manage who can do what within your projects. Every project has a team, and each team member is assigned a role that determines their permissions.

Overview

Xerotier.ai organizes access around a project-team model. Every project has exactly one team, and users join a project by being added to its team. Access control operates at two layers:

  • System-level roles: Determine platform-wide capabilities (admin vs operator)
  • Project-level roles: Determine what a user can do within a specific project (owner vs member)

Note: A user can hold different roles in different projects. You might be an owner in one project and a member in another. Roles are scoped per project, not globally.

Roles & Permissions

System-Level Roles

System-level roles control access to platform administration features.

Role Description Capabilities
Admin Platform administrator Full access to admin panel, user management, system settings, audit logs, and all projects
Operator Standard user Access only to projects where they are a team member

Project-Level Permissions

Within each project, team members are either an owner or a member. The table below shows what each role can do.

Capability Owner Member
View team members Yes Yes
Use inference endpoints Yes Yes
View models and agents Yes Yes
Manage team members Yes No
Manage invitations Yes No
Project settings Yes No
Billing management Yes No
API key management Yes No
Manage agents Yes No
Manage endpoints Yes No

Team Management

Inviting Members

Project owners can invite users to join their team. The invitation flow depends on whether the user already has a Xerotier.ai account:

  • Existing user: The user is added to the project team immediately and can access the project on their next login.
  • New user: A PendingInvitation is created. When the invited email address registers an account, they are automatically added to the project team.

Tip: You can invite users before they have created an account. The invitation will be fulfilled automatically when they register with the invited email address.

Changing Roles

Owners can change the role of other team members between owner and member. Two safety rules apply:

  • Self-demotion blocked: You cannot change your own role. Another owner must do it.
  • Last-owner protection: The last remaining owner cannot be demoted. Promote another member to owner first.

Removing Members

Owners can remove other members from the project team. Two safety rules apply:

  • Self-removal blocked: You cannot remove yourself from the team.
  • Last-owner protection: The last remaining owner cannot be removed. Transfer ownership first.

Revoking Invitations

Owners can revoke pending invitations that have not yet been accepted. Once revoked, the invitation link is invalidated and the email address will not be auto-added on registration.

Access Control

The following table lists the team management API endpoints and the role required to access each one.

Endpoint Method Required Role
/team GET Any member
/team/api/members GET Any member
/team/api/invitations GET Owner
/team/members POST Owner
/team/members/:userId/role POST Owner
/team/members/:userId DELETE Owner
/team/invitations/:id DELETE Owner

API Examples

List Team Members

curl
curl https://xerotier.ai/team/api/members \ -H "Authorization: Bearer xero_my-project_abc123"
Python
import requests headers = {"Authorization": "Bearer xero_my-project_abc123"} response = requests.get( "https://xerotier.ai/team/api/members", headers=headers ) for member in response.json(): print(f"{member['email']} - {member['role']}")
Node.js
const response = await fetch( "https://xerotier.ai/team/api/members", { headers: { "Authorization": "Bearer xero_my-project_abc123" } } ); const members = await response.json(); members.forEach(m => console.log(`${m.email} - ${m.role}`));

Invite a Team Member

curl
curl -X POST https://xerotier.ai/team/members \ -H "Authorization: Bearer xero_my-project_abc123" \ -H "Content-Type: application/json" \ -H "X-CSRF-Token: your-csrf-token" \ -d '{"email": "newuser@example.com", "role": "member"}'
Python
import requests headers = { "Authorization": "Bearer xero_my-project_abc123", "Content-Type": "application/json", "X-CSRF-Token": "your-csrf-token" } response = requests.post( "https://xerotier.ai/team/members", headers=headers, json={"email": "newuser@example.com", "role": "member"} ) print(response.json())
Node.js
const response = await fetch( "https://xerotier.ai/team/members", { method: "POST", headers: { "Authorization": "Bearer xero_my-project_abc123", "Content-Type": "application/json", "X-CSRF-Token": "your-csrf-token" }, body: JSON.stringify({ email: "newuser@example.com", role: "member" }) } ); const data = await response.json(); console.log(data);

API Key Security

API keys authenticate inference requests to your project endpoints. Xerotier.ai uses several layers of protection to keep your keys secure.

  • 256-bit random generation: Keys are generated using 32 bytes of cryptographically secure random data, providing 256 bits of entropy.
  • SHA-256 hash storage: The raw key is never stored. Only a SHA-256 hash is persisted in the database. The full key is shown once at creation time.
  • Scoped permissions: Each key can be restricted to specific permission scopes: inference, models, or admin.
  • Endpoint restriction: Keys can be locked to specific endpoints, preventing use on other endpoints within the same project.
  • IP allowlist/blocklist: Keys support optional IP address filtering to restrict which networks can use them.

Important: Copy your API key immediately after creation. It cannot be retrieved later because only the hash is stored.

Audit Trail

All team management actions are recorded in the project audit log. The following events are tracked:

Audit Action Description
team_member_added A user was added to the project team
team_member_role_changed A team member's role was changed (owner/member)
team_member_removed A user was removed from the project team
pending_invitation_revoked A pending invitation was cancelled before acceptance
api_key_created A new API key was generated
api_key_rotated An existing API key was rotated (old key invalidated)
api_key_revoked An API key was permanently revoked

Encryption: Audit log entries are encrypted at rest using AES-256-GCM. Only authorized users with the appropriate decryption key can view detailed audit data.

Security Practices

Xerotier.ai enforces several security measures to protect your team and project:

  • Session destruction on suspension: When a user account is suspended by an admin, all active sessions are immediately invalidated.
  • CSRF protection: All state-changing requests require a valid CSRF token, preventing cross-site request forgery attacks.
  • Password change invalidates sessions: Changing your password automatically destroys all existing sessions, forcing re-authentication on all devices.
  • Optional TOTP two-factor authentication: Users can enable time-based one-time password (TOTP) 2FA for an additional layer of login security.
  • Principle of least privilege: Members receive only the permissions they need. Use the member role for users who only need inference access.
  • Multiple owners for redundancy: Promote at least two team members to the owner role to avoid single points of failure for administrative tasks.

Project Quotas

Each project has configurable resource quotas that control rate limiting and storage allocation. Quotas are managed by project owners and can override the defaults set by your subscription tier.

Quota Description Default
maxRequestsPerMinute Maximum inference requests allowed per minute Tier default
maxConcurrentRequests Maximum simultaneous inference requests Tier default
burstLimit Short burst allowance above the per-minute rate Tier default
storageQuotaGB Maximum model storage in gigabytes 4 GB (free) / 500 GB (premium)

When a project exceeds its rate limits, the isRateLimited flag is set and subsequent requests receive a 429 (Too Many Requests) response until the rate drops below the limit.

Team Billing Context

Billing is managed at the project level. Key billing fields on each project include:

  • creditsBalance: Available credits for per-token inference billing
  • accountTier: Free or Premium, determines default quotas and storage limits
  • tierId: Service tier identifier for pricing and feature access
  • isDelinquent: Set when credit balance is exhausted and usage continues
  • status: Active or Suspended -- suspended projects cannot process inference requests

See Billing & Subscriptions for details on managing your plan, and Usage Tracking & Billing for cost monitoring.

Frequently Asked Questions

Can a user belong to multiple projects?

Yes. A single Xerotier.ai account can be a member of multiple projects, each with an independent role. You might be an owner in your primary project and a member in a collaborator's project.

What happens when I invite someone who does not have an account?

A pending invitation is created for that email address. When the person registers with that email, they are automatically added to your project team with the role you specified. You can revoke the invitation at any time before they register.

Can a project have multiple owners?

Yes, and it is recommended. Having multiple owners ensures that administrative tasks (billing, settings, member management) are not blocked if one owner is unavailable. There is no limit on the number of owners.

What happens to a suspended user's sessions?

When an admin suspends a user account, all of that user's active sessions are immediately destroyed. The user is logged out on all devices and cannot create new sessions until the suspension is lifted.

How are API keys protected?

API keys are generated with 256 bits of cryptographic randomness and only the SHA-256 hash is stored in the database. The full key is displayed once at creation time and cannot be recovered. Keys can be scoped to specific permissions, restricted to specific endpoints, and filtered by IP address.