Overview
SeggWat uses a role-based access control system to manage permissions within organizations. Each member of an organization has one of three roles that determine what actions they can perform.
All members are scoped to an organization. Each organization can have multiple projects, and API keys grant access to all projects within that organization.
Role Types
Owner
The highest level of access with full control over the organization.
Owner Capabilities
- Full billing and subscription management
- Delete the organization
- Transfer ownership to another member
- All Admin and Member capabilities
Restrictions:
- An organization must have at least one Owner
- Cannot remove yourself as Owner if you're the last one
- Must transfer ownership before leaving the organization
Admin
Administrative access for managing the organization and its resources.
Admin Capabilities
- Create, update, and delete projects
- Invite and remove members (excluding Owners)
- Change member roles (Member ↔ Admin only)
- Create and manage API keys
- View all feedback across projects
- Update organization details (name, slug)
- All Member capabilities
Restrictions:
- Cannot modify or remove Owner-level members
- Cannot change their own role
- Cannot manage billing or subscriptions
- Cannot delete the organization
Member
Basic access for viewing and contributing feedback.
Member Capabilities
- View feedback in projects they have access to
- Create feedback manually in the dashboard
- View project settings (read-only)
- View organization members list
Restrictions:
- Cannot invite or remove other members
- Cannot create or manage projects
- Cannot create or manage API keys
- Cannot modify organization settings
Permission Matrix
| Action | Owner | Admin | Member |
|---|---|---|---|
| Organization Management | |||
| View organization details | ✅ | ✅ | ✅ |
| Update organization (name, slug) | ✅ | ✅ | ❌ |
| Delete organization | ✅ | ❌ | ❌ |
| Manage billing & subscription | ✅ | ❌ | ❌ |
| Transfer ownership | ✅ | ❌ | ❌ |
| Member Management | |||
| View members | ✅ | ✅ | ✅ |
| Invite new members | ✅ | ✅ | ❌ |
| Remove Members | ✅ | ✅ | ❌ |
| Remove Admins | ✅ | ❌ | ❌ |
| Remove Owners | ✅ (if multiple) | ❌ | ❌ |
| Change member role to Member/Admin | ✅ | ✅ | ❌ |
| Change member role to Owner | ✅ | ❌ | ❌ |
| Project Management | |||
| View projects | ✅ | ✅ | ✅ |
| Create projects | ✅ | ✅ | ❌ |
| Update projects | ✅ | ✅ | ❌ |
| Delete projects | ✅ | ✅ | ❌ |
| View project API keys | ✅ | ✅ | ❌ |
| Feedback Management | |||
| View feedback | ✅ | ✅ | ✅ |
| Create feedback manually | ✅ | ✅ | ✅ |
| Update feedback status/type | ✅ | ✅ | ❌ |
| Delete feedback | ✅ | ✅ | ❌ |
| Archive feedback | ✅ | ✅ | ❌ |
| API Access | |||
| Create API keys | ✅ | ✅ | ❌ |
| View API keys | ✅ | ✅ | ❌ |
| Revoke API keys | ✅ | ✅ | ❌ |
| Delete API keys | ✅ | ✅ | ❌ |
Managing Team Members
Inviting Members
Navigate to Access Control
Go to Settings → Access Control in your organization dashboard.
Invite New Member
Click Invite Member, enter their email address, and select their role (Member or Admin).
Invitation Sent
The invitee will receive an email with an invitation link. They'll also see an in-app notification if they already have a SeggWat account.
Invitation links are valid for 7 days. After that, they expire and you'll need to resend the invitation.
Invitation States
| State | Description |
|---|---|
| Pending | Invitation sent, waiting for the user to accept |
| Expired | Invitation link has expired after 7 days |
| Active | User has accepted the invitation and joined the organization |
Changing Member Roles
- Go to Settings → Access Control
- Find the member in the list
- Click the role dropdown next to their name
- Select the new role
Role Change Restrictions:
- Only Owners can promote members to Owner
- Admins can only change roles between Member and Admin
- You cannot change your own role
- Must have at least one Owner in the organization
Removing Members
- Go to Settings → Access Control
- Find the member in the list
- Click the Remove button next to their name
- Confirm the removal
Who Can Remove Whom:
- Owners can remove anyone (except themselves if they're the last Owner)
- Admins can only remove Members
- Members cannot remove anyone
API Key Permissions
API keys can be either full-access (grant every permission in the org) or scoped (grant a chosen subset of capabilities, optionally restricted to specific projects).
Either way, only Owners and Admins can create API keys.
Full-access keys
Full-access keys are the default and behave the same as keys minted before scoped tokens existed:
- Grant access to all projects within the organization
- Can list, retrieve, submit, and modify feedback and ratings on any project
- Can call every endpoint a logged-in admin can call
Use full-access keys for trusted backend integrations, CI/CD pipelines, and internal tooling where the operator already has admin access to the dashboard.
Scoped keys
Scoped keys carry an explicit list of capabilities and an optional project allow-list. The available scopes are:
| Scope | Grants |
|---|---|
feedback:write |
Submit new feedback (used by widgets, extension, mobile, CI hooks) |
feedback:read |
List and retrieve existing feedback |
rating:write |
Submit ratings (helpful, star, NPS) |
idea:write |
Submit or vote on ideas |
project:list |
List the org's projects (filtered to the key's allowed projects when project-restricted) |
The dashboard offers two presets in the create-key flow:
- Tester preset —
feedback:write+project:list, restricted to one project, 90-day expiry. Intended for external testers using the Chrome extension. - Custom — pick any combination of scopes, any subset of projects, and any expiry (or no expiry).
Project restriction
Any scoped key (preset or custom) can be locked to specific projects in the org. Project-restricted keys:
- Only see their allow-listed projects when calling
GET /api/v1/projects— other projects in the org are filtered out, not just denied - Fail with
403on any endpoint targeting a project outside the allow-list
Expiry
Scoped keys can carry a hard expiry. The Tester preset defaults to 90 days. Custom keys can pick any expiry or omit it. Expired keys stay in the dashboard for audit purposes but fail authentication.
Label your API keys by purpose (e.g., "Production Server", "CI/CD", "jane-doe@vendor.com — Acme staging") to track which services or testers are using which keys. Check the "Last Used" timestamp regularly to identify inactive keys.
Best Practices
Common Scenarios
Scenario: Adding a Contractor
Question: I'm hiring a contractor to help process feedback. What role should I assign?
Answer: Assign them the Member role initially. This gives them read access to feedback without allowing them to modify projects or invite others. If they need to manage feedback status/types, promote them to Admin temporarily.
Scenario: Team Lead Needs More Access
Question: My team lead needs to create projects and manage API keys. What role do they need?
Answer: Promote them to Admin. This gives them full project management capabilities and the ability to create API keys, without access to billing or organization deletion.
Scenario: Founder is Leaving
Question: One of our co-founders is leaving the company. How do we transfer their ownership?
Answer:
- Ensure you have at least one other Owner in the organization
- The leaving Owner can demote themselves to Member or leave entirely
- If they're the last Owner, they must first promote another trusted member to Owner before leaving
Scenario: API Key Compromise
Question: We think one of our API keys was exposed. What should we do?
Answer:
- Go to Settings → API Tokens
- Immediately Revoke or Delete the compromised key
- Create a new API key with a descriptive label
- Update your application/service with the new key
- Monitor the "Last Used" timestamp to ensure the old key isn't being used
Scenario: Temporary External Access
Question: We need to give a partner company temporary access to view feedback for a specific project.
Answer:
- Invite them as a Member with their email
- Set a calendar reminder to remove them after the agreed period
- Alternatively, create a time-limited API key and share that instead (though you'll need to monitor usage manually)
Security Considerations
Important Security Notes:
- Never share API keys in public repositories or commit them to version control
- Rotate API keys every 90 days for production environments
- Use separate API keys for different environments (dev, staging, production)
- Monitor the "Last Used" field to detect unauthorized access
Activity Tracking
SeggWat tracks the following actions for security and compliance:
- When members are invited, joined, or removed
- When roles are changed (who changed it and when)
- When API keys are created, used, revoked, or deleted
- Who created each API key and when it was last used