Team & Collaborators

Invite team members to specific applications with scoped roles. Unlike platforms that give all-or-nothing workspace access, Bulwark lets you control exactly who can access which application and what they can do within it.

Roles

Every collaborator is assigned one role per application. Roles determine what the collaborator can see and do within that application's dashboard.

| Role | Description | |------|-------------| | Admin | Full access to all app settings, users, agents, and API keys. Can invite and manage other collaborators. | | Developer | Can view data, manage agents and sessions, and view API keys (secret keys are read-only). Cannot manage users or change auth settings. | | Viewer | Read-only access to dashboard analytics and audit logs. Cannot modify anything. |

Role comparison

| Capability | Admin | Developer | Viewer | |-----------|-------|-----------|--------| | View dashboard analytics | Yes | Yes | Yes | | View audit logs | Yes | Yes | Yes | | View sessions | Yes | Yes | Yes | | Manage agents | Yes | Yes | No | | Revoke sessions | Yes | Yes | No | | View publishable keys | Yes | Yes | No | | View secret keys (masked) | Yes | Read-only | No | | Manage users | Yes | No | No | | Change auth settings | Yes | No | No | | Configure branding | Yes | No | No | | Manage webhooks | Yes | No | No | | Rotate API keys | Yes | No | No | | Invite collaborators | Yes | No | No | | Remove collaborators | Yes | No | No |

Inviting collaborators

Via the dashboard

1. Navigate to Configure > Team in the sidebar
2. Click Invite collaborator
3. Enter the collaborator's email address
4. Select a role (Admin, Developer, or Viewer)
5. Click Send invite

An invite link is generated and displayed. Copy it and share it with the recipient directly. Email delivery for invitations is coming in a future release.

Via the API

POST /api/v1/settings/collaborators/invite
Authorization: Bearer <admin-token>
X-Bulwark-Tenant: <tenant-id>
Content-Type: application/json

{
  "email": "[email protected]",
  "application_id": "app_01j...",
  "role": "developer"
}

Response

{
  "id": "invite_01j...",
  "email": "[email protected]",
  "application_id": "app_01j...",
  "role": "developer",
  "invite_url": "https://app.bulwarkauth.com/invite/accept?token=inv_...",
  "expires_at": "2026-03-27T10:00:00Z"
}

Invite links expire after 7 days. After expiration, send a new invitation.

Accepting invites

When a recipient clicks the invite link:

1. If they already have a Bulwark account, they sign in and are granted access immediately
2. If they do not have an account, they create one during the flow
3. After authentication, the application appears in their dashboard automatically

No manual approval step is required after clicking the link. Access is granted as soon as the recipient authenticates.

Managing access

Changing a collaborator's role

From the Configure > Team page, click the role dropdown next to a collaborator's name and select a new role. The change takes effect immediately.

Removing a collaborator

From the Configure > Team page, click Remove next to the collaborator. Access is revoked immediately — their next API request or page load will return 403 Forbidden.

Listing collaborators via API

GET /api/v1/settings/collaborators?application_id=app_01j...
Authorization: Bearer <admin-token>
X-Bulwark-Tenant: <tenant-id>

Response

{
  "data": [
    {
      "id": "collab_01j...",
      "user_id": "usr_01j...",
      "email": "[email protected]",
      "role": "developer",
      "joined_at": "2026-03-20T10:30:00Z"
    }
  ]
}

Workspace admins vs. app collaborators

These are two distinct levels of access:

| | Workspace admin | App collaborator | |---|----------------|-----------------| | Scope | All applications in the workspace | Only the specific applications they are invited to | | Created by | Workspace owner | Any application admin | | Sees all apps | Yes | No — only invited apps appear in their dashboard | | Can create apps | Yes | No | | Can manage billing | Yes | No |

Workspace admins are the account owners and any users they promote to workspace-level admin status. App collaborators are team members invited to work on specific applications.

A single person can be both a workspace admin (seeing all apps) and still have a specific role on a particular app. Workspace admin access always takes precedence.

Next steps

• Applications — understand how applications work and how to create them
• Publishable Keys — learn about API key types and rotation
• Admin API reference — full API documentation for admin operations