Team Management

Aerostack workspaces are built for teams. Each member gets their own workspace token (mwt_ prefix). You control who has access, monitor who calls what, and revoke individuals without touching production credentials.

Inviting Team Members

There are two approaches to giving team members access:

Approach	How it works	Best for
Workspace tokens	Issue a `mwt_` token per person. They add the gateway URL + token to their editor.	Most teams — fast, no Aerostack account required for members
Team invites	Invite members to your Aerostack team. They get their own dashboard access.	Teams that need members to manage their own workspaces

Workspace Tokens (Recommended)

Issue a named token for each team member. The token is the only credential they need.

# Issue tokens for your team
aerostack workspace token create engineering --name "Alice Chen"
# -> mwt_alice_xxxxxxxx

aerostack workspace token create engineering --name "Bob Singh"
# -> mwt_bob_xxxxxxxx

aerostack workspace token create engineering --name "Carol Wu"
# -> mwt_carol_xxxxxxxx

Each member configures their editor with the same gateway URL and their personal token:

{
  "mcpServers": {
    "engineering": {
      "url": "https://gateway.aerostack.dev/ws/engineering/sse",
      "headers": { "Authorization": "Bearer mwt_alice_xxxxxxxx" }
    }
  }
}

Every tool call is attributed to the token (and therefore the person). When you install a new MCP server, it appears for every member automatically.

Team Invites

For members who need their own Aerostack dashboard access:

aerostack team invite alice@company.com
# -> Invitation sent. Alice will receive a join link via email.

aerostack team invite bob@company.com
# -> Invitation sent.

aerostack team list
# MEMBER              STATUS     JOINED
# alice@company.com   active     2026-03-01
# bob@company.com     pending    2026-03-15
# carol@company.com   active     2026-02-20

Or invite from the Admin dashboard: Team > Invite Member.

Listing and Managing Tokens

View all tokens

aerostack workspace token list engineering
# TOKEN NAME       CREATED        LAST USED        STATUS
# Alice Chen       2026-03-01     2 min ago        active
# Bob Singh        2026-03-02     1 hr ago         active
# Carol Wu         2026-03-10     3 days ago       active
# CI Pipeline      2026-02-15     5 min ago        active

Revoke a token

When someone leaves the team or a token is compromised:

aerostack workspace token revoke engineering --name "Alice Chen"
# -> Token revoked. Alice's gateway access is immediately disabled.

The revocation is instant. Alice’s next tool call will fail with 401 Unauthorized. No API keys need to be rotated. No other team member is affected.

Create a replacement token

aerostack workspace token create engineering --name "Alice Chen (new laptop)"
# -> mwt_alice_new_xxxxxxxx

Per-User Analytics

Every tool call through the workspace gateway is logged with the token identity. View analytics per user, per tool, or per time period.

Via CLI

# All usage for a workspace in the last 7 days
aerostack analytics --workspace engineering --period 7d
# USER           TOOL                         CALLS    ERRORS   LAST CALL
# Alice Chen     github__create_issue         42       0        2 min ago
# Alice Chen     github__list_pull_requests   128      2        5 min ago
# Bob Singh      slack__send_message          67       0        1 hr ago
# Carol Wu       deploy__trigger_deploy       12       1        3 days ago
# CI Pipeline    github__create_issue         340      0        5 min ago

# Filter by user
aerostack analytics --workspace engineering --user "Alice Chen" --period 30d

# Filter by MCP server
aerostack analytics --workspace engineering --server github-mcp --period 7d

# Export as CSV
aerostack analytics --workspace engineering --period 30d --format csv > usage-report.csv

Via Admin Dashboard

Navigate to Workspaces > engineering > Analytics.

The dashboard shows:

Tool call volume over time (chart)
Per-user breakdown
Per-tool breakdown
Error rates
Latency percentiles

Data Source

Analytics are powered by Cloudflare Analytics Engine, which means:

Near-real-time data (seconds of delay)
High cardinality — individual user + tool + timestamp granularity
Retained for 90 days
No impact on gateway performance (async write)

Seat Limits

Workspace token limits depend on your plan:

Plan	Workspace Tokens	Workspaces
Free	3	1
Pro	25	5
Team	100	20
Enterprise	Unlimited	Unlimited

aerostack workspace token list engineering
# 4 of 25 tokens used (Pro plan)

Onboarding Script

Create a standard onboarding script for new team members:

#!/bin/bash
# onboard.sh — Run this for each new team member
# Usage: ./onboard.sh "Alice Chen"

NAME="$1"

echo "Creating workspace token for $NAME..."
TOKEN=$(aerostack workspace token create engineering --name "$NAME" --output token)

echo ""
echo "=== Setup Instructions for $NAME ==="
echo ""
echo "1. Add this to your editor MCP config (Cursor, Claude Desktop, VS Code):"
echo "   Gateway URL: https://gateway.aerostack.dev/ws/engineering/sse"
echo "   Authorization: Bearer $TOKEN"
echo ""
echo "2. Restart your editor. The following tools are available:"
aerostack mcp list --workspace engineering --tools-only
echo ""
echo "3. Ask your AI assistant to try: List my open GitHub pull requests"

Offboarding

When a team member leaves:

Revoke their workspace token

aerostack workspace token revoke engineering --name "Alice Chen"
# -> Revoked. Immediate effect.

Remove their team membership (if applicable)
Terminal window
```
aerostack team remove alice@company.com
```

Verify

aerostack workspace token list engineering
# Alice Chen should no longer appear (or show "revoked" status)

No API keys need to be rotated. No other team member is disrupted. The entire offboarding takes 30 seconds.

Access Patterns

Read-Only vs. Full Access

Create separate workspaces with different MCP server sets:

# Full access workspace (senior engineers)
aerostack workspace create eng-full
aerostack mcp install internal-api --workspace eng-full
aerostack mcp install database --workspace eng-full
aerostack mcp install deploy-pipeline --workspace eng-full

# Read-only workspace (junior engineers, contractors)
aerostack workspace create eng-readonly
aerostack mcp install internal-api --workspace eng-readonly
aerostack mcp install database --workspace eng-readonly
# deploy-pipeline NOT included

Per-Project Workspaces

aerostack workspace create project-alpha
aerostack workspace create project-beta

# Each project gets only the MCP servers it needs
aerostack mcp install alpha-api --workspace project-alpha
aerostack mcp install beta-api --workspace project-beta

Temporary Access

For contractors or short-term team members:

# Create token
aerostack workspace token create engineering --name "Contractor: Jane Doe"

# After the engagement ends
aerostack workspace token revoke engineering --name "Contractor: Jane Doe"

Audit Log

View all administrative actions on a workspace:

aerostack workspace audit engineering
# DATE                   USER              ACTION
# 2026-03-15 14:32 UTC   admin@co.com     token_created: Alice Chen
# 2026-03-15 14:33 UTC   admin@co.com     token_created: Bob Singh
# 2026-03-15 14:35 UTC   admin@co.com     mcp_installed: github-mcp
# 2026-03-16 09:00 UTC   admin@co.com     secret_updated: github-mcp/GITHUB_TOKEN
# 2026-03-17 11:15 UTC   admin@co.com     token_revoked: Alice Chen

Next Steps

Secrets and security — how API keys are encrypted and injected
Proxy your existing MCP server — the primary enterprise use case
Workspaces — workspace management reference