Skip to Content
UsageTeam & Access

Team & Access

Rustrak supports multiple users on a single instance, with role-based access control over actions and projects. Invite teammates, give them their own login, and scope what they can see and do.

Roles

There are two layers of roles.

Global role

Every user has one global role:

  • Admin — full access to every project plus team management (invite/remove users, change roles).
  • Member — can only see and act on projects they are explicitly added to.

The primary user (the first account, created during bootstrap) is special: it can never be demoted or deleted, so an instance can’t be locked out.

Per-project role

Members are granted access to individual projects with a per-project role:

RoleCan do
ViewerRead issues, events, and project details
EditorEverything a viewer can, plus resolve/mute/delete issues and update the project
AdminEverything an editor can, plus delete the project and manage its members

Global admins implicitly have full access to every project, so they don’t need explicit membership.

Inviting people

Registration is invite-only — there is no open sign-up. Only admins can invite.

  1. Go to Settings → Team
  2. Under Invite a member, enter an email and pick a global role
  3. Click Invite — the invite link is copied to your clipboard automatically

No email is sent. Share the link yourself (chat, email, etc.). You can re-copy it any time from the Pending invitations list, and revoke it there too.

Invitation links expire after 48 hours and can only be used once.

Accepting an invitation

The invitee opens the link (/invite/<token>), sets a password, and is logged in — their email and global role come from the invitation.

Managing the team

From Settings → Team (admins only) you can:

  • Change a user’s global role between admin and member
  • Remove a user — this revokes their access and tokens (with a confirmation step)

You cannot remove yourself, the primary user, or the last remaining admin.

Managing project members

Open a project and use Members to control who can access it:

  • Add a member — pick a user and a per-project role (viewer/editor/admin)
  • Change a member’s role
  • Remove a member

The last admin of a project cannot be removed. When a member creates a project, they automatically become its admin.

API access and tokens

API tokens are scoped to the user who created them — a token inherits that user’s projects and permissions. See API Tokens.

Admins can manage the team over the API too:

# List the team (admin token required) curl -H "Authorization: Bearer YOUR_TOKEN" \ http://localhost:8080/api/team # Invite a member — returns a single-use invite token curl -X POST -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{"email":"teammate@example.com","role":"member"}' \ http://localhost:8080/api/invitations # Add a user to a project as an editor curl -X PUT -H "Authorization: Bearer YOUR_TOKEN" \ -H "Content-Type: application/json" \ -d '{"user_id":2,"role":"editor"}' \ http://localhost:8080/api/projects/1/members

You can also manage all of this from an AI assistant via the MCP server.

Behavior reference

SituationResult
Member opens a project they don’t belong to404 Not Found (existence is not leaked)
Viewer tries to resolve/delete an issue403 Forbidden
Non-admin calls a team or invitation endpoint403 Forbidden
POST /auth/register (open sign-up)403 Forbidden — invite-only
Remove the last admin of an instance or project409 Conflict
Last updated on