Authorization
Every action in the Temps API is guarded by a permission check. Users carry a role per project — Owner, Admin, Member, or Viewer — and environment-level overrides let you restrict access further without changing the project role. API keys carry explicit scopes so integrations never get more access than they need.
Role-based access control
Every action in the Temps API is guarded by a permission check. Users carry a role per project, and that role determines which permissions they hold. Roles are assigned by a project Owner or Admin from Settings → Team.
Project roles
| Role | What they can do |
|---|---|
| Owner | Full control — including deleting the project and transferring ownership |
| Admin | Manage all project settings, members, deployments, and environments — everything except deletion |
| Member | Deploy, view deployments, and view analytics |
| Viewer | Read-only access to deployments, logs, and analytics |
Roles are scoped per project. A user can be an Owner of one project and a Viewer of another.
Inviting team members
Invite a team member
- 1
Go to Settings then Team in your project.
- 2
Click Invite Member.
- 3
Enter the member's email address and select their role.
- 4
Send the invitation.
Checkpoint: The invitee receives an email link; on first login their account is created and the role is applied.
- Go to Settings → Team in your project
- Enter the member's email address and select their role
- They receive an invitation link; on first login their account is created and the role is applied
See Manage Team Access for the step-by-step guide.
Environment permissions
Permissions can be further narrowed per environment. For example, you can grant a member write access to staging but read-only access to production.
Environment-level overrides layer on top of the project role — the environment setting can only restrict, not expand, what the project role allows.
Configure environment permissions in Settings → Environments → [environment] → Access.
API key scopes
Create an API key with specific scopes
- 1
Go to Settings then API Keys and click Create API Key.
- 2
Enter a name (e.g. github-actions-deploy or monitoring-readonly).
- 3
Select only the permission scopes the integration needs.
- 4
Click Create and copy the key — it is shown only once.
Checkpoint: The key appears in Settings > API Keys and can be revoked individually without affecting other keys.
API keys carry explicit permission scopes chosen at creation time. A key only grants the listed permissions, regardless of the creating user's role.
| Scope | What it grants |
|---|---|
read:projects | View projects and their settings |
write:projects | Create and modify projects |
read:deployments | View deployments and build logs |
write:deployments | Trigger, cancel, and manage deployments |
read:analytics | View analytics data |
admin:project | Full access equivalent to the Admin role for the project the key belongs to |
Principle of least privilege
Create one key per integration and grant only the scopes that integration actually needs. A CI/CD pipeline that only triggers deployments needs write:deployments — not admin:project. Keys can be revoked individually from Settings → API Keys without affecting other integrations.
For creating and managing API keys, see Authentication → API Keys.