The short version
Invitation email delivery is not enabled. Owners and Admins create transient links and share them through a recipient-specific secure channel.
01
Create for the exact verified email
Owners may invite Admin, Developer, Billing, or Viewer accounts. Admins may invite only Developer, Billing, or Viewer accounts.
The recipient must authenticate with the exact invited email and complete email verification before acceptance creates an active membership.
02
Treat the link like a credential
The raw token appears only in the immediate create or reissue response. The pending invitation list never returns it or its SHA-256 hash.
The dashboard builds a fragment-based acceptance URL, and the acceptance page removes that fragment immediately after reading it.
- Copy the link only from the transient handoff panel.
- Use a recipient-specific secure channel.
- Do not put it in tickets, screenshots, analytics, or shared documents.
- Clear the screen and clipboard when practical.
03
Reissue and revoke intentionally
Reissuing creates a new token and immediately invalidates the previous link. Revoking prevents a pending invitation from being accepted.
Expired, revoked, accepted, replaced, and unknown links use a safe unavailable state without revealing token or account details.
04
Acceptance remains atomic
The server validates token hash, status, expiration, intended email, verified session, and workspace state before membership is created.
Membership creation, invite consumption, and the acceptance audit event occur together so a partial acceptance does not grant access.
Before you move on
- Invited email exactly matches the intended verified account
- Role is within the inviter’s assignment boundary
- Link is shared once through a secure recipient-specific channel
- Old links are treated as invalid after reissue
- Unused invitations are revoked
- No token or token hash appears in saved evidence