Workspace roles & sharing
How team collaboration works in Agent A: free seats for everyone you invite, four roles that decide who can do what, and the patterns for sharing work internally or externally.
Built for team collaboration
A workspace can be a solo space or a shared one. Same $99/month subscription either way. Agent A is designed to be used by a whole team, not just one person:
- Invite your entire team at no extra cost. User seats are free, regardless of role. Owners, admins, members, and viewers all share the same $99/month subscription.
- Share dashboards and tools internally. Every Console page the agent builds is available to all your team members the moment it ships. There is no per-app licensing, no separate publish step for internal use.
- Share work externally when you want to. Public-site pages, token-gated reports, and guest invite links let you push specific outputs to clients, prospects, or stakeholders without giving them a workspace seat.
- One identity model end to end. The agent always knows who is acting (member in chat, member in the Console, anonymous visitor or invited guest on the public site) and gates work accordingly.
The rest of this page covers the roles themselves, the permission matrix, and how to actually invite people.
The four roles
- Owner. Full control. Approves connector and infrastructure requests, manages secrets, toggles the public site mode, changes billing, can promote and demote any other member. Every workspace has at least one owner.
- Admin. Same as owner except cannot transfer org-level ownership. Decides approval cards day to day. Manages secrets. Most workspaces grant Admin to the 1-2 people who run things alongside the Owner.
- Member. Chats with the agent, uses Console pages, invokes connectors that have already been approved, builds new apps and jobs. Cannot approve new connectors or rotate secrets.
- Viewer. Read-only access to the Console. Useful for stakeholders who want to see dashboards but should never trigger work or change settings.
What each role can do
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| Chat with Agent A | y | y | y | |
| Use Console pages built by the agent | y | y | y | y |
| Invoke an already-approved connector | y | y | y | |
| Approve a new connector or secret | y | y | ||
| Install a Python package, allow a new domain | y | y | ||
| Toggle public site mode (off / authorized / open) | y | y | ||
| Manage billing and the subscription | y | |||
| Invite new members and change roles | y | y | ||
| Transfer org ownership | y |
How to add teammates
Invite from the Members page in your workspace. Pick a role at invite time; you can change it later. Invited people sign in with their own Letaido account; you do not share credentials.
There is no per-seat charge. The $99/month subscription includes unlimited members at any role.
Sharing a workspace with a guest
For someone who needs to see a single Console page or a public-site report but should not become a full member, use a guest invite link instead. The agent generates token-gated URLs that grant read-only access to one specific page, no Letaido account required.
This is the right pattern for sharing a client report, a one-off dashboard, or a draft a stakeholder needs to review.
How the agent knows who is acting
Every action Agent A takes is tied to an identity:
- In chat, that is your workspace login.
- In the Console, the page reads the signed-in member from headers nginx injects.
- On the public site, anonymous visitors get a session cookie; invited guests get a separate token-tied cookie. The agent treats these very differently from members.
This is why role-based gating works end to end: a Console page can refuse a write coming from a Viewer, a public-site form can refuse anonymous submissions, and the agent will not approve infrastructure requests from anyone but Owner or Admin.
FAQ
Can two workspaces share data? No. Workspaces are isolated at the OS, database, and secret-store level. If two teams need to collaborate on the same data, they should share one workspace and use roles to scope access.
What happens to data when a member is removed? Their access is revoked immediately. Work they produced (Console apps, jobs, files, chat history) stays in the workspace.
Can I have multiple Owners? Yes. Granting Owner to a co-founder is the safest way to make sure nobody loses access if one person becomes unreachable.
Does the Viewer role count against any quota? No quota. Viewers are free, same as every other role.