Built-in roles
Every organization member holds one of these roles:Inviting members
Invite team members from Settings → Members in the AgentMark Dashboard. AgentMark sends invitations by email, and they expire after 7 days. Each invitation includes a role assignment.Custom roles and app-level access
Team tier and above. Custom roles and app-level role assignments require a Team or Enterprise subscription.
Custom roles
Create custom roles with cherry-picked permissions for fine-grained access control:- Navigate to Settings → Roles in the Dashboard
- Click Create role
- Name the role and select the specific permissions to grant
- Assign the role to members
App-level roles
Assign different roles per app within the same organization. A member might have Write access to your staging app but Read access to production. To configure per-app access, open Settings → Members in the AgentMark Dashboard, click the row action menu next to a member, and choose Manage app access. From the dialog, toggle each app on or off and set a built-in or custom role per app.API keys
Each API key covers an app and an environment. You create the key in the environment selected in the breadcrumb, and it grants access only to that environment’s resources (prompts, traces, experiments); aprod key can’t reach staging data.
- Create and manage keys from the app-level Settings → API keys page in the Dashboard (under
/orgs/<org>/apps/<app>/settings/api-keys); the list shows only the breadcrumb-selected environment’s keys - Keys are rate-limited by tier (see Billing and usage for limits)
- Key names must be unique within an app
Role presets
Each API key carries either a preset role or a custom permission set. When you create or edit a key, choose one of these presets or select Custom to toggle individual permissions.Permission catalog
The custom permission picker exposes these permissions, grouped by resource:
See Endpoint permissions for the full mapping of API endpoints to permissions.
When a key attempts an operation it doesn’t have permission for, the API returns
403 Forbidden.
Creating a scoped key
- Navigate to the app’s Settings → API keys page in the Dashboard
- Click Create API key
- Enter a name for the key
- Select a role or choose Custom to toggle individual permissions
- Click Create, then copy the key immediately, as it’s only shown once
Editing key permissions
You can change an existing key’s permissions at any time:- Open the app’s Settings → API keys page
- Click the pencil icon next to the key you want to modify
- Update the role or individual permissions
- Save your changes; the key value stays the same
Access-control audit trail
AgentMark records every access-control change in your organization in an immutable audit log:- Membership lifecycle: invites sent, resent, and accepted; role changes; member removals
- Custom roles: created, updated, deleted, assigned, and unassigned
- App-level roles: granted, changed, revoked, and app-scoping toggles
- API keys: created, permission edits with before and after state, and deletions. AgentMark never records key material, only the grant surface.
Viewing and exporting the audit log
Enterprise tier. Viewing and exporting the audit log requires an Enterprise subscription. Recording stays on for every plan.
Retention
AgentMark retains audit entries, including request context, for the lifetime of your organization. Configurable retention windows are on the roadmap for Enterprise; contact support if your compliance program needs a specific schedule.SSO
Team tier and above. SAML 2.0 SSO requires a Team or Enterprise subscription.
- Supported providers: Azure AD, Okta, Google Workspace, and any SAML 2.0-compliant IdP
- Domain allowlisting: restrict sign-in to specific email domains
- Enforcement mode: require SSO for all org members, who must authenticate through your identity provider with no password fallback
- Attribute mapping: map IdP attributes (full name, first/last name) to AgentMark profiles
Have questions?
Reach out any time:
- Email the team at hello@agentmark.co for support
- Schedule an Enterprise Demo to learn about AgentMark’s business solutions