# Access Controls

Manage organization roles, project access, and scoped API keys.

Use **Access Controls** to decide who can work inside your organization, which projects they can access, and what organization API keys are allowed to do.

Access controls apply at the organization level. You can give a member or API key access to every project, or restrict it to specific projects.

<img alt="Team settings showing members, roles, and project access" src="__img0" />

Opening Access Controls [#opening-access-controls]

Open an app and go to **Settings > Team** to manage member roles and project access.

Use these settings pages for access management:

| Page     | Use it to                                                                                |
| -------- | ---------------------------------------------------------------------------------------- |
| Team     | Invite teammates, update organization roles, and restrict members to specific projects.  |
| API Keys | Create, update, or revoke organization API keys with selected scopes and project access. |

Only **Owners** and **Admins** can manage access. Owners can manage any role, including other Owners. Admins can manage most members and API keys, but they cannot assign or manage the Owner role.

> **Warning**

If an Admin is restricted to specific projects, they can only manage access for projects they can already access. Restricted Admins cannot grant unrestricted organization access.



Organization roles [#organization-roles]

Organization roles control the maximum set of actions a member can take. Project access can narrow where those actions apply, but it cannot grant permissions beyond the member's organization role.

| Role          | What it can do                                                                                                                                                       |
| ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Owner         | Full organization control. Owners can manage billing, settings, access controls, API keys, and other Owners. Owners always have access to all projects.              |
| Admin         | Full working access and access-management permissions, except for managing Owners. Admins can be restricted to specific projects.                                    |
| User (Legacy) | Legacy Admin-level role kept for backward compatibility. Treat this as full access and reassign it when possible.                                                    |
| Editor        | Can create and edit paywalls, campaigns, notifications, and assets. Editors can view related resources, but cannot manage access or sensitive organization settings. |
| Reader        | Read-only visibility into dashboard resources. Readers cannot create, update, or delete resources.                                                                   |
| Analyst       | Read-only, analytics-focused visibility for stakeholders who need reporting access without edit permissions.                                                         |

Project access [#project-access]

Each member has one project access mode:

| Mode         | What it means                                                                              |
| ------------ | ------------------------------------------------------------------------------------------ |
| All Projects | The member can access every current and future project allowed by their organization role. |
| Restricted   | The member can only access the projects you assign to them.                                |

When a member is **Restricted**, assign one role for each project they can access:

| Project role | Use it for                            |
| ------------ | ------------------------------------- |
| Admin        | Project-level management access.      |
| Editor       | Editing resources inside the project. |
| Viewer       | Read-only access to the project.      |

> **Note**

Project roles are capped by the organization role. For example, a Reader with a Project Admin grant is still read-only because the organization role does not allow writes.



Use the **Project access** dropdown when inviting or editing a member to choose **Restricted**. When selected, Superwall shows the project assignments and project role controls for that member.

<img alt="Invite member dialog showing organization role and project access controls" src="__img1" />

Invite a member [#invite-a-member]

1. Open **Settings > Team**.
2. Click **Invite member**.
3. Enter the member's name and email.
4. Choose an organization role.
5. Choose **All Projects** or **Restricted**.
6. If restricted, select the projects they can access and choose a project role for each one.
7. Click **Invite**.

The invite appears as pending until the user accepts it.

Update a member [#update-a-member]

From **Settings > Team**, click **Edit** next to a member. You can change their organization role, project access mode, and project assignments.

Owners cannot remove or demote the last Owner in an organization. Admins cannot assign the Owner role or edit existing Owners.

API key access [#api-key-access]

Organization API keys use the same access model:

| Setting        | What it controls                                                                                                                                                  |
| -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Scopes         | Which resources the key can read or write, such as paywalls, campaigns, products, webhooks, charts, users, assets, access controls, or ClickHouse analytics data. |
| Project Access | Whether the key can operate across all projects or only selected projects.                                                                                        |

Both checks must pass. For example, an API key with `paywalls:write` and **Restricted** access to one project can only update paywalls in that project.

In the create key dialog, choose the scopes first, then use **Project access** to decide whether the key can access all projects or only selected projects.

<img alt="Create API key dialog showing scopes and project access" src="__img2" />

When you create a key, Superwall shows the token once. Copy it before closing the dialog. After that, the dashboard only shows a masked token.

Revoke or update an API key [#revoke-or-update-an-api-key]

Use **Settings > API Keys** to review each key's scopes, project access, creation date, and last-used timestamp. Edit the key to change its scopes or project restrictions, or revoke it when it is no longer needed.

> **Tip**

Prefer restricted API keys for automation. Give each service only the scopes and projects it needs.



Keys with `data:read` can use the [ClickHouse query API](/docs/dashboard/guides/query-clickhouse) to run read-only SQL against your organization's analytics data.

Troubleshooting [#troubleshooting]

If a member cannot see a project, confirm that their project access mode is **All Projects** or that the project is selected in their restricted assignments.

If an API request is denied, check both the key's scopes and its project access. The key needs the correct resource scope and access to the target project.

If you cannot assign an Owner, make sure you are signed in as an Owner. Admins cannot grant or manage Owner access.

Related [#related]

* [Team settings](/docs/dashboard/dashboard-settings/overview-settings-team)
* [Projects](/docs/dashboard/dashboard-settings/overview-settings-projects)
* [Keys](/docs/dashboard/dashboard-settings/overview-settings-keys)