Team management
Roles, invites, and last-owner protection.
Multiple humans, one Rekomi organization. /dashboard/settings/team is where you manage who has access and what they can do.
Roles
Four roles in a strict hierarchy:
- Owner: full control. Can manage billing, invite team members, change roles, transfer ownership, and delete the organization. Most things in
/dashboard/settings/*require Owner. - Admin: can do everything except billing and team management. Runs day-to-day operations.
- Manager: can manage campaigns, approve affiliates, run payouts, and send broadcasts. Cannot change settings or webhooks.
- Viewer: read-only across the dashboard.
The owning user when an org is created has the Owner role. There must always be at least one Owner.
Invite a team member
From /dashboard/settings/team, click "Invite". Fill in:
- Email (where the invite goes)
- Role (Admin, Manager, or Viewer)
A TeamInvite record is created with a one-time token. The recipient gets an email with the accept URL: https://rekomi.com/invites/{token}. They sign in (or sign up) using the same email, then click accept. The email must match the email on the invite or the acceptance is rejected.
Invites expire after 7 days. You can resend or cancel from the pending invites list.
Team-member limits per plan
The total number of users in an organization (Owner included) is capped per plan tier:
| Tier | Team members |
|---|---|
| Starter | 2 |
| Growth | 5 |
| Pro | Unlimited |
| Enterprise | Unlimited |
If you try to send an invite past your cap, the API returns HTTP 402 and the UI prompts you to upgrade. See Plans and trials for the full tier matrix.
Change a role
From the team list, click the role chip on any row. A dropdown lets you change the role. You cannot demote yourself if you are the last Owner. You cannot promote yourself if you are not already an Owner. Audit log records every role change.
Remove a member
Click "Remove" on any row except your own (you cannot remove yourself; transfer ownership first, then ask an Owner to remove you). Removal is immediate. Their tokens revoke; their next API call returns 401. Their data (audit log entries, prior approvals) stays for the historical record.
Last-owner protection
You cannot:
- Remove the last Owner from the org.
- Demote the last Owner to Admin, Manager, or Viewer.
- Transfer ownership if you are not an Owner.
These are enforced server-side in TeamController. The dashboard hides the option, but if you try via API the call returns 409 with a clear error.
Accepting an invite
The accept page at /invites/{token} shows the org name, the role you are being invited to, and the email the invite was sent to. Sign in with that email. If you are already signed in with a different email, you have to sign out first or accept under the matching email.
Once you accept, you land on /dashboard with the new organization in context. If you belong to multiple orgs (you are an affiliate, you own one brand, and you got invited to another brand), use the org switcher in the top nav.
Multiple organizations per user
A single user can belong to many organizations as different roles. Use the org switcher (top-nav, between the logo and your avatar) to flip between them. The switcher reads from your user-to-org join table.
Phase 7.4 dropped Clerk Organizations native support; we replaced it with our own switcher because Clerk Orgs forced a single billing customer per org which did not match our two-sided model. The switcher reads from the OrganizationUsers table.
Last-known role inheritance
When an invited team member signs in for the first time, their role is set from the invite. After that, you can change their role at any time from the team list. There is no "you cannot lower yourself" rule beyond the last-owner protection.
Audit trail
Every team operation (invite, accept, role change, remove) is recorded in the audit log at /dashboard/settings/audit-log. The audit row includes who did what, when, and to whom. Useful for compliance and for debugging "who removed Sarah" questions.