Members
Members are the people who manage a team — its issuer, clients, providers, theming, keys, and roster. Every member has one of two roles: owner or member. (These are the people who manage the team, not the end users who log in through your issuer — those live in the issuer's user pool.)
Because auth.is dogfoods its own IdP, a member is an account in the auth.is root issuer (login.auth.is). A member's userId is a root-pool user id — the same id space as a token sub.
Roles
| Capability | Owner | Member |
|---|---|---|
| Read the team, issuer, clients, providers, keys, theme | Yes | Yes |
| Create/update/delete clients | Yes | No |
| Add/update/remove federation providers | Yes | No |
| Update issuer settings, apply themes, rotate keys | Yes | No |
| Invite, remove, or re-role members | Yes | No |
| Leave the team (remove yourself) | Yes | Yes |
In short: members can read everything, owners can change everything. A non-owner attempting an owner-only tool gets a permission error, not a silent failure.
The last-owner rule
A team must always keep at least one owner. Two operations enforce it:
update_member_rolerefuses to demote the team's last owner (a conflict).remove_memberrefuses to remove the team's last owner (a conflict).
To hand a team off, promote the new owner first, then demote or remove yourself. Trying to demote or remove the sole owner is rejected — transfer ownership before you step down.
Managing the roster
| Tool | Role | Notes |
|---|---|---|
list_members | any member | Roster with roles and join dates; find a userId here. |
update_member_role | owner | Promote to owner or demote to member. |
remove_member | owner (or self) | Remove a member; a member may remove themselves to leave. |
New people join a team through invites, not by being created directly — you invite an email address and they accept.