The short version
Workspace roles are enforced in server routes, not just hidden in the dashboard. Choose the narrowest role that matches the person’s actual job.
01
Owner and Admin are deliberately different
Owners control the workspace lifecycle, privileged roles, technical configuration, invitations, and manual billing review. The final active Owner cannot be changed or suspended.
Admins manage technical configuration and standard Developer, Billing, and Viewer members. They cannot manage Owners, other Admins, or billing checkout.
02
Developer is the technical operating role
Developers can work with API keys, allowlists, domains, and configuration sync. They do not manage workspace membership, invitations, or billing.
Use Developer for engineers who need to configure protected traffic without granting organizational control.
03
Billing and Viewer stay narrow
Billing receives usage and manual plan-review access without technical configuration or member management. Viewer receives general dashboard and usage-safe read-only context.
Suspended memberships do not satisfy active workspace permission checks.
04
Platform administration is separate
A workspace Owner or Admin is not a ThrottleProxy platform administrator. Global diagnostics and infrastructure testing remain behind the stronger platform-admin and internal-service boundary.
Never grant a broader customer role to work around a platform-only operation.
Before you move on
- Each member has the narrowest appropriate role
- A second Owner exists before an ownership transition
- Admin is not used as a substitute for Billing or platform admin
- Suspended members are verified as inactive
- Role changes are confirmed and reviewed in workspace activity