> ## Documentation Index
> Fetch the complete documentation index at: https://docs.lasscyber.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Inviting team members

> Invite users to your organization, assign roles, and manage team membership.

Organizations use Auth0 Organizations under the hood, which gives
Agnes a first-class **invitation** flow: you enter an email, Agnes
asks Auth0 to send a signed invitation link, the recipient clicks it,
signs up or signs in, and lands inside your organization with the
role you picked.

## Sending an invitation

1. Sign in at [`agnes.lasscyber.com`](https://agnes.lasscyber.com)
   and switch to the right organization in the tenant switcher.
2. Open **Settings → Teams** (or
   [`agnes.lasscyber.com/teams`](https://agnes.lasscyber.com/teams)).
3. Click **Invite member**.
4. Enter the recipient's email address and pick a role (default:
   `member`). See [Roles & permissions](/administration/roles-and-permissions)
   for what each role can do.
5. Send. Auth0 emails the recipient an invitation link signed with
   your organization's identity.

The invitation row shows up under **Pending invitations** until the
recipient accepts. You can revoke at any time before acceptance.

### Required role

Sending invitations requires `tenant:invite_users`. Owners and admins
have it; members and viewers do not.

### Programmatic invitations

Available via `POST /api/v1/tenants/{tenant_id}/invitations` (JWT
auth only — invitations are admin-managed). See the auto-generated
[API reference](/api-reference/overview).

## Accepting an invitation

The recipient receives an email with a one-click link. Clicking it:

1. Routes them through Auth0 Universal Login.
2. Creates an Auth0 user if one does not exist (passwordless / social
   options follow your Auth0 tenant config).
3. Adds them to the Auth0 Organization as a member.
4. Triggers Agnes's first-sign-in flow, which creates the corresponding
   Agnes user record bound to your tenant with the role from the
   invitation.

The recipient can then sign in to
[`agnes.lasscyber.com`](https://agnes.lasscyber.com) and pick your
organization in the tenant switcher.

If the recipient is **already** an Agnes user (because they're
already in another tenant), the invitation simply adds your tenant
to the list they can switch between.

## Revoking an invitation

Pending invitations show a **Revoke** action. Revoking deletes the
Auth0 invitation and prevents the link from being used.

Already-accepted invitations cannot be "revoked" — to remove an
accepted user, see **Removing a member** below.

## Changing a member's role

In **Settings → Teams**, click a member row and pick a new role.
Changes take effect immediately on the next request that user makes;
their existing Auth0 session is not invalidated, but the API
re-evaluates their role on every call.

Owners can change any role. Admins can grant `member` / `viewer`.
Admins **cannot** grant `owner` (only owners can transfer ownership;
see below).

## Removing a member

In **Settings → Teams**, click a member row and pick **Remove**. The
user is removed from your tenant immediately:

* Their Auth0 Organization membership is deleted.
* Their Agnes user record is detached from your tenant. (The Auth0
  user account itself is **not** deleted; they may still belong to
  other tenants.)
* All their API keys (if any) are deleted.

A removed user retains no data access. If you accidentally remove
someone, re-invite them; the data they previously authored remains
under your tenant.

## Transferring ownership

Today, ownership transfer is a manual step — file a ticket from
[`agnes.lasscyber.com/support`](https://agnes.lasscyber.com/support)
and the team will handle the transfer. A self-serve flow is on the
roadmap.

## SSO

If your Auth0 tenant has an enterprise connection (SAML / OIDC), you
can pin your organization to that connection so members must sign in
via SSO. Configure this in Auth0's organization settings, not in
Agnes.

## Next

* [Roles & permissions](/administration/roles-and-permissions)
* [Organizations](/administration/organizations)
* [API keys](/administration/api-keys)
