auth.isdocs
Concepts

Members

Members are the people who manage a team — its issuer, clients, providers, theming, keys, and roster. Every member has one of two roles: owner or member. (These are the people who manage the team, not the end users who log in through your issuer — those live in the issuer's user pool.)

Because auth.is dogfoods its own IdP, a member is an account in the auth.is root issuer (login.auth.is). A member's userId is a root-pool user id — the same id space as a token sub.

Roles

CapabilityOwnerMember
Read the team, issuer, clients, providers, keys, themeYesYes
Create/update/delete clientsYesNo
Add/update/remove federation providersYesNo
Update issuer settings, apply themes, rotate keysYesNo
Invite, remove, or re-role membersYesNo
Leave the team (remove yourself)YesYes

In short: members can read everything, owners can change everything. A non-owner attempting an owner-only tool gets a permission error, not a silent failure.

The last-owner rule

A team must always keep at least one owner. Two operations enforce it:

  • update_member_role refuses to demote the team's last owner (a conflict).
  • remove_member refuses to remove the team's last owner (a conflict).

Managing the roster

ToolRoleNotes
list_membersany memberRoster with roles and join dates; find a userId here.
update_member_roleownerPromote to owner or demote to member.
remove_memberowner (or self)Remove a member; a member may remove themselves to leave.

New people join a team through invites, not by being created directly — you invite an email address and they accept.

Next steps