Roles
Roles control what a signed-in team member can do inside one organisation.
They do not change how MCP clients authenticate to the proxy. MCP clients use grant tokens; team members use roles.
Which role to use
admin: for people who set up servers, connect upstream credentials, mint or rotate grant tokens, manage teammates, and read the admin audit log.policy_manager: for people who write policies and attach them to existing grants, without access to upstream credentials or grant tokens.viewer: for people who need read-only access to servers, policies, grant labels, and proxy logs.
Each role includes the permissions below it. An admin can do everything a policy_manager and viewer can do.
Capability matrix
| Capability | admin | policy_manager | viewer |
|---|---|---|---|
| View servers, policies, grant labels, and proxy logs | Yes | Yes | Yes |
| Create, edit, and delete policies | Yes | Yes | No |
| Attach or detach policies on existing grants | Yes | Yes | No |
| Mint, rotate, reveal, or revoke grants | Yes | No | No |
| Edit upstream URL, OAuth, or static headers | Yes | No | No |
| Create or delete servers | Yes | No | No |
| Invite members, remove members, or change roles | Yes | No | No |
| View the admin audit log | Yes | No | No |
Policy managers
policy_manager is the role for security, compliance, and operations teammates who should control behaviour without handling secrets.
A policy manager can change what an existing grant is allowed to do by editing policies or attaching a different policy to the grant. They cannot create, reveal, rotate, or revoke grants, edit upstream credentials, or create servers.
Visibility
Roles are organisation-scoped, not server-scoped. Every member of an organisation can see every server in that organisation.
That means a viewer can inspect server names, upstream and proxy URLs, policy names, grant labels, and proxy log metadata. They cannot change them, and they cannot reveal tokens or upstream credentials.
Offboarding
Removing a user from an organisation removes their dashboard access.
Grants they minted keep working until an admin revokes or rotates them. Include grant review in your offboarding workflow, especially for personal laptops, local agents, and CI runners.