Team & RBAC
Organizations use Clerk for authentication. The Amlexia dashboard enforces roles on organization members stored in D1.
Roles
| Role | Typical permissions |
|---|---|
| owner | Full org control, billing, delete org, manage all members |
| admin | Manage projects, alerts, settings, invite members |
| member | View dashboards, create saved views; limited admin actions |
Exact rules are enforced in the API worker (requireOrgAccess).
Managing members
- Open app.amlexia.com → Settings → Team
- View members (Clerk user IDs and roles)
- Change roles (owner/admin only)
New users join via Clerk organization invites — Amlexia provisions rows on first API access and via the Clerk webhook.
API
| Method | Path |
|---|---|
| GET | /api/team/members |
| PATCH | /api/team/members/:id (role) |
| DELETE | /api/team/members/:id |
Requires Authorization: Bearer <Clerk JWT> and active organization context.
SDK keys vs team access
- SDK keys are per-project ingest credentials — they do not grant dashboard login.
- Clerk JWT grants dashboard/API access — never embed in apps or mobile clients.
