Per-brand roles
Every member has a role on each brand they’re added to:Viewer
Read-only. Can see surfaces, metrics, and history for the brand, but cannot approve, edit, mint write-keys, or change anything.
Operator
Read + write. Can approve/reject/edit proposals, run actions, and manage the brand’s work.
Workspace roles
Owner
Full control of the workspace: billing, members, plan, and org-wide visibility (including the org-wide MCP audit).
Admin
Manage members and settings, and see org-wide MCP audit, without billing ownership.
Operator
Works within the brands they’re assigned; sees their own MCP activity.
Viewer
Read-only across their assigned brands.
How roles flow into MCP keys
A key you mint can never exceed your own live access. A viewer’s key can’t write; a key can’t reach a brand you can’t. Access is re-checked on every request, so revoking someone’s brand access instantly narrows every key they minted. See Scopes & roles.Managing roles
Owners and admins manage members and per-brand roles under Settings → Team. Add a member, assign their role on each brand, and they see exactly that — no more.Manage your team
Settings → Team.