Manage Team Access
Temps has a role-based permission system that controls who can view, deploy, and configure your projects. Use roles for team members and API keys for CI/CD and external integrations.
Understand roles
Temps includes several built-in roles:
| Role | Description |
|---|---|
| Admin | Full access to everything — projects, deployments, settings, users, backups, and system configuration |
| User | Can create and manage projects, deploy, and view most resources. Cannot delete critical resources or manage system settings. |
| Reader | Read-only access. Can view projects, deployments, logs, and analytics but cannot make changes. |
| Custom | No default permissions. Used for API keys where you want to grant only specific capabilities. |
Additional specialized roles:
| Role | Description |
|---|---|
| ApiReader | Read-only API access. For monitoring and reporting integrations. |
| Mcp | For MCP (Model Context Protocol) server integrations. |
| Demo | Limited access for demonstration purposes. |
Create a user account
- In the sidebar, click Settings
- Go to the Users section
- Click Add User
- Enter the user's email and name
- Set a temporary password (the user should change it on first login)
- Select a role
The new user can now log in at your Temps instance URL with the provided credentials.
The first user account is created during temps setup (or the first visit to the dashboard). This account always has the Admin role and cannot be downgraded.
Assign a role
To change a user's role:
- Go to Settings > Users
- Find the user
- Click Edit (or the actions menu)
- Select the new role
- Save
Role changes take effect immediately. The user's next API call or page load uses the new permissions. Active sessions are not terminated — the user does not need to log in again.
Permission examples by role
| Action | Admin | User | Reader |
|---|---|---|---|
| View projects and deployments | Yes | Yes | Yes |
| Create and deploy projects | Yes | Yes | No |
| Manage environment variables | Yes | Yes | No |
| View logs and analytics | Yes | Yes | Yes |
| Manage domains | Yes | Yes | No |
| Delete projects | Yes | No | No |
| Manage users and roles | Yes | No | No |
| Configure backups | Yes | No | No |
| System settings | Yes | No | No |
Create an API key
API keys are used for programmatic access — CI/CD pipelines, scripts, monitoring integrations, and MCP servers.
- Go to Settings > API Keys
- Click Create API Key
- Enter a name (e.g.
github-actions-deploy,monitoring-readonly) - Select the permissions to grant (see below)
- Click Create
- Copy the key immediately — it is shown only once
The API key is used in the Authorization header:
curl -H "Authorization: Bearer tk_your_api_key" \
"https://your-temps-instance/api/projects"
Scope API key permissions
API keys use the Custom role by default, meaning they have no permissions until you explicitly grant them. This follows the principle of least privilege.
Common permission scopes:
CI/CD deployment key
Grant only what is needed to trigger deployments:
deployments:create— trigger new deploymentsdeployments:read— check deployment statusprojects:read— list projectsenvironments:read— list environments
Read-only monitoring key
For dashboards and reporting tools:
projects:readdeployments:readenvironments:readanalytics:readmonitoring:read
Full management key
For administrative scripts (use sparingly):
- All permissions — equivalent to Admin role
Security best practice: Create separate API keys for each integration. If a key is compromised, you can revoke it without affecting other systems. Name keys descriptively so you know which integration each key belongs to.
Deployment tokens
In addition to API keys, Temps automatically generates a deployment token for each project environment. This token is injected as the TEMPS_API_TOKEN environment variable in your application container.
Deployment tokens allow your running application to call back into the Temps API — for example, to report analytics events or upload source maps.
These tokens are:
- Auto-generated and managed by Temps
- Scoped to the specific project and environment
- Rotated on each deployment
- Not visible in the API key management UI (they are managed per-environment)
You do not need to create or manage deployment tokens manually. They are available in your application as process.env.TEMPS_API_TOKEN.