Roles & permissions
Every team member has exactly one role: owner, admin, editor, or viewer. Roles control what the member can do in the dashboard and which abilities they can grant to API tokens they mint.
There is exactly one owner per team. Everyone else is admin/editor/viewer.
What each role can do
| Action | Owner | Admin | Editor | Viewer |
|---|---|---|---|---|
| View forms, submissions, webhooks | Yes | Yes | Yes | Yes |
| Create / edit / archive forms | Yes | Yes | Yes | No |
| Permanently delete (force-delete) forms | Yes | No | No | No |
| Edit / delete submissions | Yes | Yes | Yes | No |
| Bulk-act on submissions | Yes | Yes | Yes | No |
| Export submissions | Yes | Yes | Yes | Yes |
| Manage webhooks | Yes | Yes | Yes | No |
| Replay webhook deliveries | Yes | Yes | Yes | No |
| Invite / remove members | Yes | Yes | No | No |
| Change member roles | Yes | Yes | No | No |
| Manage billing & plan | Yes | Yes | No | No |
| Transfer ownership | Yes | No | No | No |
| Delete the team | Yes | No | No | No |
The viewer role is read-only on operational data but can still export submissions to CSV. If you need a stricter "can read but cannot exfiltrate" role, don't grant any role — keep that user out of the team.
Token ability mapping
Members can mint API tokens but cannot grant abilities they don't already have. The maximum ability set per role:
| Role | Maximum abilities mintable on a token |
|---|---|
| Owner | All abilities |
| Admin | All abilities |
| Editor | forms:read, forms:write, submissions:read, submissions:write, submissions:export, webhooks:read, webhooks:write, insights:read, insights:write, tokens:read, tokens:write |
| Viewer | forms:read, submissions:read, submissions:export, webhooks:read, insights:read, tokens:read, tokens:write |
A viewer attempting to mint a token with forms:write gets a 403 Forbidden with {"error": "ability_exceeds_member_role"}.
The billing:read ability is reserved for owner and admin. No other role can mint or hold it.
Picking the right role
| Use case | Role |
|---|---|
| Team founder / company billing contact | Owner |
| Engineering lead managing forms & integrations | Admin |
| Day-to-day operator triaging submissions | Editor |
| Exec who wants visibility but shouldn't change anything | Viewer |
| Customer support reading submissions | Editor (or Viewer if read-only) |
| External agency with strict scope | Editor on a shared team, never owner |
Don't make people admins just to avoid friction. The blast radius of a compromised admin token is much larger than an editor's.
Changing a member's role
Owner or admin → Team settings → Members → role dropdown on the row.
Side effects:
- Demotion (e.g. admin → editor): any tokens the member holds that exceed the new role's max abilities are immediately revoked. The member is notified by email.
- Promotion (e.g. editor → admin): no tokens change. Any new tokens minted can carry the broader ability set.
- Demoting yourself is allowed except for the owner — the owner cannot demote themselves without first transferring ownership (see Ownership transfer →).
There is no audit log entry for role changes in the UI yet, but the change is recorded server-side and visible to support if needed.
Removing a member
Same screen, click the trash icon. Removing a member:
- Revokes every token they minted in this team
- Drops them from any submission notification lists
- Leaves all forms, submissions, and webhooks intact (those belong to the team, not the member)
The member can be re-invited later but starts fresh — no role memory, no token memory.