Got teammates, third-party partners, and trial accounts in your workspace? This guide covers how to assign roles, invite people, and clean up credentials on a schedule — keeping data secure and controlled.
Key takeaways
Three workspace roles: Owner can do anything including billing, inviting, and deleting the workspace; Editor can create KBs, upload documents, and issue API keys; Viewer can read conversations and stats but can't change anything. Most teammates need Editor, finance and legal teams only need Viewer.
Owner → Members → Generate invite link, pick the role (Editor / Viewer / Guest), set expiry, and share the link. For client demos, choose Guest — guest accounts have usage caps, can't see sensitive analytics, and auto-expire. Perfect for one-off product demos.
When engineers integrate into your own systems, go to API Keys → New, give the key a clear name (e.g. "Customer Service - Production"), then bind it to a specific KB (queries restricted to that KB), set per-minute rate limits, and add an IP allowlist. With all three filled in, even a leaked key can't be abused.
Rotate API keys every 90 days: create a new key, have engineers switch over, verify the old key's traffic drops to zero (the console shows last-used time per key), then revoke the old key. When a teammate leaves, remove their account from Members and revoke any API keys they issued.