Organizations & Teams
tmam is built for collaboration. All observability data, prompts, guardrails, and API keys are organized within organizations. Each organization can have multiple team members with role-based access control.
Concepts
| Entity | Description |
|---|---|
| Organization | The top-level workspace. Owns all data, projects, and API keys. |
| Project | A sub-namespace within an organization. Traces and API keys are scoped to a project. |
| Member | A user who has been invited to and accepted a role in an organization. |
| Role | Controls what a member can do within the organization. |
Creating an Organization
- Sign in to the dashboard
- Go to Settings → Organizations
- Click New Organization
- Enter a name and optional description
You can create and manage multiple organizations from a single account. Each organization is fully isolated — its traces, prompts, guardrails, and API keys are not visible to other organizations.
Inviting Team Members
Only organization owners and admins can invite members.
- Go to Settings → Organizations and select your organization
- Click Add Member
- Enter the member's email address and select their role
- Click Send Invite
The invited user receives an automated email with their assigned role and the organization name. The email is sent via SendGrid (configured in server/src/.env).
What happens next
1. Invite sent → member receives invitation email
2. Member registers → appears as pending in your members list
3. Admin approves → member gains access to the organization
4. (Optional) Admin rejects → invite is declined
Members can also be added from the Notifications page — when a user is invited to an organization they don't have an account for yet, the invitation appears there after they sign up.
Member Roles
Roles determine what a member can do within an organization:
| Role | Permissions |
|---|---|
| Admin (full access) | Create/delete projects, manage members, manage API keys, create prompts, guardrails, and all settings |
| Member (limited access) | View data, run evaluations, use prompts — cannot modify org-level settings or manage other members |
Roles can be changed at any time by an admin from the Members list.
Managing Members
From Settings → Organizations → [Your Org] → Members:
- View all members — see join status, role, and when they joined
- Change role — promote or demote a member's access level
- Remove member — revoke access immediately
- Approve / Reject — review pending join requests
Membership States
A member's join lifecycle progresses through these states:
invited → (user registers) → pending → approved/rejected
↓
active ← → left
| State | Meaning |
|---|---|
| Invited | Email sent, user hasn't registered yet |
| Pending | User registered and awaiting admin approval |
| Approved / Active | Member has full access per their role |
| Rejected | Admin declined the join request |
| Left | Member left or was removed |
Projects
Every organization contains one or more projects. Projects are the observability namespace — API keys are scoped to a project, and all traces, metrics, prompts, and guardrails are associated with a specific project.
Creating a project
- Go to Settings → Organizations → [Your Org]
- Click New Project
- Enter a name and description
See Projects for more detail.
API Keys and Organizations
API keys are tied to both an organization and a project. When the SDK sends data using a key, tmam automatically attributes the traces to the correct org/project combination.
See API Keys for how to generate and manage them.
Example: Multi-Team Setup
Organization: "Acme AI"
├── Project: "Customer Support Bot"
│ ├── API Key: sk-tmam-... (production)
│ └── API Key: sk-tmam-... (staging)
├── Project: "Internal Research"
│ └── API Key: sk-tmam-...
│
Members:
├── alice@acme.com → Admin
├── bob@acme.com → Admin
├── carol@acme.com → Member
└── dave@acme.com → Member (pending approval)