Seoxpert.io
Get started
Home/Docs

Team workspaces

Bring teammates into your workspace as admins, editors, or viewers. Each gets their own login, but billing stays with you.

Pro & Agency
Invite a teammateSee plans

Roles

RoleCanCan't
OwnerEverything below + billing, transfer ownership (planned), delete workspace
AdminManage domains, run scans, view all reports, invite/revoke other members, configure webhooks & portalsSee or change billing, delete the workspace
EditorRun scans, view all reports, schedule scans, mark findings done / wont-fix / false-positiveAdd/remove domains, invite teammates, configure webhooks
ViewerView all reports + dashboards (read-only)Run scans, mutate any data

The Owner role is reserved for the user who created the workspace. There's no way to invite a second Owner today — a future "transfer ownership" flow will land that.

How to invite

  1. Open the Team page.
  2. Click Invite member. Enter their email, pick a role, send.
  3. We try to email them via Brevo. If our email doesn't go out (e.g. your workspace doesn't have BREVO_API_KEY in production), we surface an emailWarning in the response and show you the invite URL so you can paste it manually.

How accepting works

The invitee opens /invite/<token>. We check three states:

  • Not signed in → they see "Sign in" / "Sign up" CTAs with the email pre-filled and ?next=/invite/<token> so post-auth routes back here.
  • Signed in as the matching email → they see an "Accept invitation" button.
  • Signed in as a DIFFERENT email → they see "Sign out and back in as <expected>" with a sign-out link. We deliberately don't auto sign them out — losing an unrelated session for a stranger's invite would be hostile UX.

Email-bound, not just URL-secret

Possession of the invite URL alone is not sufficient. Acceptance requires an authenticated session whose email matches the invitation's emailcolumn. So a leaked URL can't be claimed by a third party who doesn't control the recipient mailbox. This is stronger than the typical "magic link" model.

Anti-spam: pending-duplicate check

We reject a re-invite (HTTP 409) if a non-accepted, non-revoked, non-expired invitation already exists for the same (workspace, email). The inviter must explicitly revoke the existing one before re-sending — prevents accidental email spam from clicking "Send" repeatedly.

Expiry and rotation

Invitations expire 7 days after creation. Recipients can ask the inviter to re-issue if expired. Revoking is immediate via the Team page — the URL stops working as soon as you click revoke.

Billing and quota

One subscription per workspace. Adding teammates does NOT add to the bill — your Pro / Agency subscription covers the whole team. Domain count and scan-per-month limits are workspace-level, not per-user — five teammates running scans all draw from the same monthly pool.

Plan availability

Team workspaces unlock on Pro and Agency. Free-tier users see an upgrade card on the Team page. Both plans give unlimited seats — there's no per-seat fee.