# Team Management > Invite team members, issue per-member workspace tokens, monitor per-user analytics, enforce seat limits, and revoke access — all without sharing API keys. Aerostack workspaces are built for teams. Each member gets their own workspace token (`mwt_` prefix). You control who has access, monitor who calls what, and revoke individuals without touching production credentials. --- ## Inviting Team Members There are two approaches to giving team members access: | Approach | How it works | Best for | |----------|-------------|----------| | **Workspace tokens** | Issue a `mwt_` token per person. They add the gateway URL + token to their editor. | Most teams — fast, no Aerostack account required for members | | **Team invites** | Invite members to your Aerostack team. They get their own dashboard access. | Teams that need members to manage their own workspaces | ### Workspace Tokens (Recommended) Issue a named token for each team member. The token is the only credential they need. ```bash # Issue tokens for your team aerostack workspace token create engineering --name "Alice Chen" # -> mwt_alice_xxxxxxxx aerostack workspace token create engineering --name "Bob Singh" # -> mwt_bob_xxxxxxxx aerostack workspace token create engineering --name "Carol Wu" # -> mwt_carol_xxxxxxxx ``` Tokens are shown once at creation. Store them securely and share them individually with each team member. If a token is lost, revoke it and create a new one. Each member configures their editor with the same gateway URL and their personal token: ```json { "mcpServers": { "engineering": { "url": "https://gateway.aerostack.dev/ws/engineering/sse", "headers": { "Authorization": "Bearer mwt_alice_xxxxxxxx" } } } } ``` Every tool call is attributed to the token (and therefore the person). When you install a new MCP server, it appears for every member automatically. ### Team Invites For members who need their own Aerostack dashboard access: ```bash aerostack team invite alice@company.com # -> Invitation sent. Alice will receive a join link via email. aerostack team invite bob@company.com # -> Invitation sent. aerostack team list # carol@company.com active 2026-02-20 ``` Or invite from the Admin dashboard: **Team** > **Invite Member**. --- ## Listing and Managing Tokens ### View all tokens ```bash aerostack workspace token list engineering # CI Pipeline 2026-02-15 5 min ago active ``` ### Revoke a token When someone leaves the team or a token is compromised: ```bash aerostack workspace token revoke engineering --name "Alice Chen" # -> Token revoked. Alice's gateway access is immediately disabled. ``` The revocation is instant. Alice's next tool call will fail with `401 Unauthorized`. No API keys need to be rotated. No other team member is affected. ### Create a replacement token ```bash aerostack workspace token create engineering --name "Alice Chen (new laptop)" # -> mwt_alice_new_xxxxxxxx ``` --- ## Per-User Analytics Every tool call through the workspace gateway is logged with the token identity. View analytics per user, per tool, or per time period. ### Via CLI ```bash # All usage for a workspace in the last 7 days aerostack analytics --workspace engineering --period 7d # Filter by user aerostack analytics --workspace engineering --user "Alice Chen" --period 30d # Filter by MCP server aerostack analytics --workspace engineering --server github-mcp --period 7d # Export as CSV aerostack analytics --workspace engineering --period 30d --format csv > usage-report.csv ``` ### Via Admin Dashboard Navigate to **Workspaces** > **engineering** > **Analytics**. The dashboard shows: - Tool call volume over time (chart) - Per-user breakdown - Per-tool breakdown - Error rates - Latency percentiles ### Data Source Analytics are powered by Cloudflare Analytics Engine, which means: - Near-real-time data (seconds of delay) - High cardinality — individual user + tool + timestamp granularity - Retained for 90 days - No impact on gateway performance (async write) --- ## Seat Limits Workspace token limits depend on your plan: | Plan | Workspace Tokens | Workspaces | |------|-----------------|------------| | Free | 3 | 1 | | Pro | 25 | 5 | | Team | 100 | 20 | | Enterprise | Unlimited | Unlimited | ```bash aerostack workspace token list engineering # 4 of 25 tokens used (Pro plan) ``` Token limits are per workspace. If you need more tokens, upgrade your plan or create additional workspaces. --- ## Onboarding Script Create a standard onboarding script for new team members: ```bash #!/bin/bash # Usage: ./onboard.sh "Alice Chen" NAME="$1" echo "Creating workspace token for $NAME..." TOKEN=$(aerostack workspace token create engineering --name "$NAME" --output token) echo "" echo "=== Setup Instructions for $NAME ===" echo "" echo "1. Add this to your editor MCP config (Cursor, Claude Desktop, VS Code):" echo " Gateway URL: https://gateway.aerostack.dev/ws/engineering/sse" echo " Authorization: Bearer $TOKEN" echo "" echo "2. Restart your editor. The following tools are available:" aerostack mcp list --workspace engineering --tools-only echo "" echo "3. Ask your AI assistant to try: List my open GitHub pull requests" ``` --- ## Offboarding When a team member leaves: 1. **Revoke their workspace token** ```bash aerostack workspace token revoke engineering --name "Alice Chen" # -> Revoked. Immediate effect. ``` 1. **Remove their team membership (if applicable)** ```bash aerostack team remove alice@company.com ``` 1. **Verify** ```bash aerostack workspace token list engineering # Alice Chen should no longer appear (or show "revoked" status) ``` No API keys need to be rotated. No other team member is disrupted. The entire offboarding takes 30 seconds. --- ## Access Patterns ### Read-Only vs. Full Access Create separate workspaces with different MCP server sets: ```bash # Full access workspace (senior engineers) aerostack workspace create eng-full aerostack mcp install internal-api --workspace eng-full aerostack mcp install database --workspace eng-full aerostack mcp install deploy-pipeline --workspace eng-full # Read-only workspace (junior engineers, contractors) aerostack workspace create eng-readonly aerostack mcp install internal-api --workspace eng-readonly aerostack mcp install database --workspace eng-readonly # deploy-pipeline NOT included ``` ### Per-Project Workspaces ```bash aerostack workspace create project-alpha aerostack workspace create project-beta # Each project gets only the MCP servers it needs aerostack mcp install alpha-api --workspace project-alpha aerostack mcp install beta-api --workspace project-beta ``` ### Temporary Access For contractors or short-term team members: ```bash # Create token aerostack workspace token create engineering --name "Contractor: Jane Doe" # After the engagement ends aerostack workspace token revoke engineering --name "Contractor: Jane Doe" ``` --- ## Audit Log View all administrative actions on a workspace: ```bash aerostack workspace audit engineering # 2026-03-17 11:15 UTC admin@co.com token_revoked: Alice Chen ``` --- ## Next Steps - [Secrets and security](/mcp/secrets-security) — how API keys are encrypted and injected - [Proxy your existing MCP server](/mcp/proxy-existing) — the primary enterprise use case - [Workspaces](/mcp/workspaces) — workspace management reference