Skip to main content
AgentMark uses a role-based access control (RBAC) system with granular permissions at the organization and app level.

Built-in roles

Every organization member holds one of these roles:

Inviting members

Invite team members from Settings → Members in the AgentMark Dashboard. AgentMark sends invitations by email, and they expire after 7 days. Each invitation includes a role assignment.

Custom roles and app-level access

Team tier and above. Custom roles and app-level role assignments require a Team or Enterprise subscription.

Custom roles

Create custom roles with cherry-picked permissions for fine-grained access control:
  1. Navigate to Settings → Roles in the Dashboard
  2. Click Create role
  3. Name the role and select the specific permissions to grant
  4. Assign the role to members
Custom roles draw from the full permission catalog, so you can grant access to specific features (for example, “can view traces and run experiments but can’t edit prompts or manage billing”).

App-level roles

Assign different roles per app within the same organization. A member might have Write access to your staging app but Read access to production. To configure per-app access, open Settings → Members in the AgentMark Dashboard, click the row action menu next to a member, and choose Manage app access. From the dialog, toggle each app on or off and set a built-in or custom role per app.

API keys

Each API key covers an app and an environment. You create the key in the environment selected in the breadcrumb, and it grants access only to that environment’s resources (prompts, traces, experiments); a prod key can’t reach staging data.
  • Create and manage keys from the app-level Settings → API keys page in the Dashboard (under /orgs/<org>/apps/<app>/settings/api-keys); the list shows only the breadcrumb-selected environment’s keys
  • Keys are rate-limited by tier (see Billing and usage for limits)
  • Key names must be unique within an app
For a step-by-step Dashboard walkthrough with screenshots, see API keys.

Role presets

Each API key carries either a preset role or a custom permission set. When you create or edit a key, choose one of these presets or select Custom to toggle individual permissions.

Permission catalog

The custom permission picker exposes these permissions, grouped by resource: See Endpoint permissions for the full mapping of API endpoints to permissions. When a key attempts an operation it doesn’t have permission for, the API returns 403 Forbidden.

Creating a scoped key

  1. Navigate to the app’s Settings → API keys page in the Dashboard
  2. Click Create API key
  3. Enter a name for the key
  4. Select a role or choose Custom to toggle individual permissions
  5. Click Create, then copy the key immediately, as it’s only shown once

Editing key permissions

You can change an existing key’s permissions at any time:
  1. Open the app’s Settings → API keys page
  2. Click the pencil icon next to the key you want to modify
  3. Update the role or individual permissions
  4. Save your changes; the key value stays the same

Access-control audit trail

AgentMark records every access-control change in your organization in an immutable audit log:
  • Membership lifecycle: invites sent, resent, and accepted; role changes; member removals
  • Custom roles: created, updated, deleted, assigned, and unassigned
  • App-level roles: granted, changed, revoked, and app-scoping toggles
  • API keys: created, permission edits with before and after state, and deletions. AgentMark never records key material, only the grant surface.
Each entry captures who made the change, when, from where (IP address and client), the target (member email, role name, or key name), and the before and after state. AgentMark also records denied attempts to make access-control changes. Changes made by AgentMark support at your request appear in your trail with the acting support engineer identified. Entries are write-once and tamper-evident: nobody, including organization owners, can edit or delete them, and a verifiable hash chain links every entry to the one before it. Recording is always on for every organization, so your trail exists from day one and upgrading reveals your full history.

Viewing and exporting the audit log

Enterprise tier. Viewing and exporting the audit log requires an Enterprise subscription. Recording stays on for every plan.
Open Settings → Audit log in the Dashboard to browse your organization’s trail. Owners and Admins see the tab by default. To give other members access, create a custom role with the View the organization audit log permission. Filter entries by action, target, or date range, and click any row for full detail, including the request context and the before and after state. Click Export CSV on the same page for the full trail as a spreadsheet-safe CSV with UTC timestamps, ready for your SIEM or compliance evidence collection.

Retention

AgentMark retains audit entries, including request context, for the lifetime of your organization. Configurable retention windows are on the roadmap for Enterprise; contact support if your compliance program needs a specific schedule.

SSO

Team tier and above. SAML 2.0 SSO requires a Team or Enterprise subscription.
Configure SAML 2.0 single sign-on for your organization:
  • Supported providers: Azure AD, Okta, Google Workspace, and any SAML 2.0-compliant IdP
  • Domain allowlisting: restrict sign-in to specific email domains
  • Enforcement mode: require SSO for all org members, who must authenticate through your identity provider with no password fallback
  • Attribute mapping: map IdP attributes (full name, first/last name) to AgentMark profiles
To configure SSO, navigate to Settings → SSO in the AgentMark Dashboard.

Have questions?

Reach out any time: