Authorization
Who can do what inside Temps — project roles, environment-level permissions, and API key scopes.
Role-based access control
Every action in the Temps API is guarded by a permission check. Users carry a role per project, and that role determines which permissions they hold. Roles are assigned by a project Owner or Admin from Settings → Team.
Project roles
| Role | What they can do |
|---|---|
| Owner | Full control — including deleting the project and transferring ownership |
| Admin | Manage all project settings, members, deployments, and environments — everything except deletion |
| Member | Deploy, view deployments, and view analytics |
| Viewer | Read-only access to deployments, logs, and analytics |
Roles are scoped per project. A user can be an Owner of one project and a Viewer of another.
Inviting team members
- Go to Settings → Team in your project
- Enter the member's email address and select their role
- They receive an invitation link; on first login their account is created and the role is applied
See Manage Team Access for the step-by-step guide.
Environment permissions
Permissions can be further narrowed per environment. For example, you can grant a member write access to staging but read-only access to production.
Environment-level overrides layer on top of the project role — the environment setting can only restrict, not expand, what the project role allows.
Configure environment permissions in Settings → Environments → [environment] → Access.
API key scopes
API keys carry explicit permission scopes chosen at creation time. A key only grants the listed permissions, regardless of the creating user's role.
| Scope | What it grants |
|---|---|
read:projects | View projects and their settings |
write:projects | Create and modify projects |
read:deployments | View deployments and build logs |
write:deployments | Trigger, cancel, and manage deployments |
read:analytics | View analytics data |
admin:project | Full access equivalent to the Admin role for the project the key belongs to |
Principle of least privilege
Create one key per integration and grant only the scopes that integration actually needs. A CI/CD pipeline that only triggers deployments needs write:deployments — not admin:project. Keys can be revoked individually from Settings → API Keys without affecting other integrations.
For creating and managing API keys, see Authentication → API Keys.