Organizations & scopes
Agent Access Manager is multi-tenant. The unit of tenancy is the organization; inside it you carve out teams and projects. Almost every control in the product — a virtual key, a budget, a rate limit, a guardrail policy — attaches to one of these, so read this page once and every other page makes sense.
The three entities
- Organization — the hard tenant boundary. An org's catalog, budgets, guardrails, keys, audit trail, and spend are its own and never shared with another org. Each org has one base currency (default USD, permanent once chosen) that all its pricing, budgets, and spend are denominated in, so totals add up without conversion.
- Team — groups people and work inside an org. A team can have a lead, who gets a delegated slice of authority (for example, setting a project budget within their own team) without being an org admin.
- Project — the finest grouping, used to attribute keys, spend, and limits to a piece of work.
A person has one account in one org. A brand-new user with no org lands on an onboarding screen to create or join one.
The four scope levels
| Scope level | What it means | Example |
|---|---|---|
ORG | The whole organization | "Acme can spend $5,000/month total" |
TEAM | One team in the org | "Data Science is capped at 2M tokens/day" |
PROJECT | One project in a team | "The research project gets 60 requests/min" |
KEY | A single virtual key | "This one key may not exceed $50/day" |
The scope chain
When a request arrives, the gateway looks at the calling key and builds its scope chain: the key itself, plus whichever of project, team, and org it belongs to. A key always belongs to an org; team and project are optional and fixed when the key is issued.
KEY (this request) → PROJECT (if set) → TEAM (if set) → ORG (always)
Two rules govern how controls resolve along the chain:
- Budgets and rate limits are enforced at every level at once. A call charged to a key also counts against that key's project, team, and org. The request is allowed only if it passes at all present levels — an org monthly cap, a team daily cap, and a key hourly cap can all be in force on the same request, and the tightest one wins.
- Guardrail policies resolve most-specific-first. The narrowest scope that has a policy for a matched content category decides the action, so a team can tighten what the org sets.
This is why you can hand a team lead a key and trust it cannot blow the org budget: the org cap still applies on top of anything set lower down.
Managing organizations
Dashboard: Operate ▸ Organizations. API: /admin/orgs, /admin/teams, /admin/projects (see Admin API).
- Orgs and teams — create and rename teams, archive them, or hard-delete (platform admin, only when empty).
- Members — see everyone, change roles (only to a role below your own), remove people.
- Invitations — invite by email; the accept-link becomes a membership, so credentials are never shared.
- Team membership — assign members into teams and appoint a lead.
Anywhere you select an org, team, or project, the dashboard uses a searchable name picker — you never type a UUID.
Related pages
- Roles & permissions — who may do what inside the org.
- Virtual keys — how keys carry their scope chain.
- Budgets & rate limits — chain-wide enforcement in practice.