AgentMark uses a role-based access control (RBAC) system with granular permissions at the organization and app level.Documentation Index
Fetch the complete documentation index at: https://docs.agentmark.co/llms.txt
Use this file to discover all available pages before exploring further.
Built-in roles
Every organization member is assigned one of these roles:| Role | Access |
|---|---|
| Owner | Full access, including billing and subscription management. Assigned to the org creator. Only Owners can promote other members to Owner. |
| Admin | Full access to all org resources, settings, and member management. Read-only billing — only Owners can change the subscription plan or payment method. |
| Write | Create and edit prompts, datasets, and API keys; run experiments; view traces. Read-only on apps — only Admins and Owners can create or delete apps. Cannot manage members or billing. |
| Read | Read-only access to all org resources. Cannot create, edit, or delete anything. |
Inviting members
Invite team members from Settings → Members in the AgentMark Dashboard. Invitations are sent by email and expire after 7 days. Each invitation includes a role assignment.Custom roles and app-level access
Team tier and above. Custom roles and app-level role assignments require a Team or Enterprise subscription.
Custom roles
Create custom roles with cherry-picked permissions for fine-grained access control:- Navigate to Settings → Roles in the Dashboard
- Click Create role
- Name the role and select the specific permissions to grant
- Assign the role to members
App-level roles
Assign different roles per app within the same organization. A member might have Write access to your staging app but Read access to production. To configure per-app access, open Settings → Members in the AgentMark Dashboard, click the row action menu next to a member, and choose Manage app access. From the dialog, toggle each app on or off and set a built-in or custom role per app.API keys
API keys are scoped to individual apps. Each key grants access only to that app’s resources (prompts, traces, experiments).- Create and manage keys from the app-level Settings → API keys page in the Dashboard (under
/orgs/<org>/apps/<app>/settings/api-keys) - Keys are rate-limited by tier (see Billing and usage for limits)
- Key names must be unique within an app
Role presets
Each API key carries either a preset role or a custom permission set. When you create or edit a key, choose one of these presets or select Custom to toggle individual permissions.| Role | Access |
|---|---|
| SDK | trace.write, template.read, score.write. CLI and SDK integrations that ingest traces, read templates, and write scores. |
| Read-Only | trace.read, span.read, session.read, score.read, dataset.read, metrics.read. Dashboards and BI tools. |
| Full Access | Every permission in the catalog. Admin and CI pipelines. |
| Custom | Toggle individual permissions. At least one permission is required. |
Permission catalog
The custom permission picker exposes these permissions, grouped by resource:| Permission | Description |
|---|---|
trace.write | Ingest new traces via POST /v1/traces |
trace.read | Read traces and graph views |
span.read | Read spans via GET /v1/spans |
session.read | Read sessions |
template.read | Read prompt templates |
score.read | Read scores, aggregations, and score names |
score.write | Create scores |
score.delete | Delete scores |
dataset.read | Read datasets |
dataset.write | Create dataset rows |
metrics.read | Read aggregate metrics |
experiment.read | Read experiments, runs, and prompt execution logs |
annotation_queue.read | Read annotation queues and queue items |
annotation_queue.write | Create annotation queues and queue items |
annotation_queue.delete | Delete annotation queues |
annotation_queue.review | Submit reviews to annotation queues |
403 Forbidden.
Creating a scoped key
- Navigate to the app’s Settings → API keys page in the Dashboard
- Click Create API key
- Enter a name for the key
- Select a role or choose Custom to toggle individual permissions
- Click Create — copy the key immediately, as it is only shown once
Editing key permissions
You can change an existing key’s permissions at any time:- Open the app’s Settings → API keys page
- Click the pencil icon next to the key you want to modify
- Update the role or individual permissions
- Save your changes — the key value stays the same
SSO enforcement
Team and Enterprise organizations can enforce SAML SSO for all members. When SSO enforcement is enabled, members must authenticate through your identity provider — no password fallback is available. See Security for SSO configuration details.Have Questions?
We’re here to help! Choose the best way to reach us:
- Email us at hello@agentmark.co for support
- Schedule an Enterprise Demo to learn about our business solutions