Onboard a team
1. Create or join the org
A brand-new account with no org lands on a Welcome screen: create an org — pick its base currency now, it is permanent — or accept an invite. A platform admin can also create orgs from Operate ▸ Organizations.
2. Make a team
Operate ▸ Organizations ▸ Teams → New team (for example "Platform"). Optionally appoint a lead — the lead gets delegated authority to curate the team roster and set project budgets inside the team, without being an org admin.
3. Invite a teammate
Organizations ▸ Members → Invite by email, choosing a role at or below your own (see Roles & permissions). They receive an accept-link that becomes a membership — you never share credentials.
4. Issue a key for an application
Operate ▸ Virtual keys → Issue key. Place it in the team (a teamless org-level key needs budget authority), label it after the workload it identifies, and copy the secret now — it is shown once.
Or via the API:
curl -s -u admin:PASSWORD -X POST https://aam.example.com/admin/keys \
-H "Content-Type: application/json" \
-d '{"alias": "platform-chatbot", "ownerId": "ORG-UUID", "teamId": "TEAM-UUID"}'
Verify
Paste the key into Operate ▸ Playground, pick a model alias, and send a message. The Playground calls the real /v1 data plane, so a reply proves authentication, scope, and routing work end to end — and the call is already in Govern ▸ Audit & usage, attributed to the team.
Why it works
The key carries its scope chain from the moment it is issued, so every later control — budgets, rate limits, guardrails — already knows where it belongs. Onboarding order matters less than it seems: you can add caps and policies after traffic starts, and they apply immediately.
Next
- Enforce spend controls — put a cap on the new team before real traffic.
- Prevent PII & secret leaks — seed guardrails for the org.