Team Invitations
Invite and manage team members with secure invitation system
Team Invitations allow workspace administrators to invite new members to join their teams securely. The system provides comprehensive management tools for pending invitations with built-in security features.
Overview
The invitation system enables:
- Secure email-based invitations
- Role assignment during invitation
- Invitation expiration management
- Automatic token regeneration for security
- Full invitation lifecycle management
How Invitations Work
Invitation Lifecycle
- Send Invitation
- Admin enters email and selects role
- System generates unique invitation token
- Invitation email sent with secure link
- Invitation valid for 7 days
- Pending State
- Invitation appears in "Pending Invites" section
- Can be resent, edited, or removed
- Token ensures only invited user can accept
- Acceptance
- User clicks invitation link
- Completes account setup if new user
- Automatically added to team with assigned role
- Invitation removed from pending list
- Expiration
- Invitations expire after 7 days
- Expired invitations can be renewed
- Admin can resend to extend expiration
Managing Invitations
Send New Invitation
From your team's Members page:
- Click "Invite Members"
- Enter email address
- Select role (Owner, Manager, Member, or Read-only)
- Click "Send Invitations"
Note: You can invite multiple people at once by adding more email entries.
Resend Invitation
Use this when someone didn't receive the invitation email:
- Find invitation in "Pending Invites" table
- Click the three-dot menu (⋮)
- Select "Resend Invitation"
- Confirm the action
What happens:
- New unique token generated (old link invalidated)
- Expiration extended by 7 days from now
- Fresh invitation email sent
- Only the new link will work
Security Note: Resending an invitation invalidates the previous invitation link for security purposes.
Edit Role
Change the role before the invitation is accepted:
- Find invitation in "Pending Invites" table
- Click the three-dot menu (⋮)
- Select "Edit Role"
- Choose new role
- Click "Update"
Renew Invitation
Extend the expiration date for an invitation:
- Find invitation in "Pending Invites" table
- Click the three-dot menu (⋮)
- Select "Renew Invitation"
What happens:
- Expiration extended by 7 days
- Token remains the same (existing link still works)
- No new email sent
When to use: When invitation has expired but user already has the email.
Delete Invitation
Remove a pending invitation:
- Find invitation in "Pending Invites" table
- Click the three-dot menu (⋮)
- Select "Delete"
- Confirm the action
What happens:
- Invitation permanently removed
- Invitation link becomes invalid
- User cannot accept the invitation anymore
Invitation Security
Token Security
Each invitation includes a unique, secure token that:
- Is cryptographically generated
- Links to specific email address
- Expires after 7 days
- Gets regenerated when resent (invalidating old token)
- Cannot be reused or transferred
Email Verification
- Invitation links are sent to specific email addresses
- Only the invited email can accept the invitation
- Email validation occurs during acceptance
- Prevents unauthorized access to teams
Expiration Management
Invitations automatically expire to ensure security:
- Default: 7 days from creation
- After Resend: 7 days from resend time
- After Renewal: 7 days from renewal time
Expired invitations can be:
- Renewed (extends by 7 days, keeps token)
- Resent (new token, extends by 7 days)
- Deleted (removes invitation)
Data Schema
Invitation Fields
| Field | Description |
|---|---|
| Recipient's email address | |
| Role | Assigned role (Owner, Manager, Member, Read-only) |
| Status | Pending, Accepted, or Expired |
| Token | Unique secure invitation token |
| Expires At | When invitation becomes invalid |
| Invited By | Admin who sent the invitation |
| Created At | When invitation was first sent |
Roles & Permissions
Who Can Manage Invitations
| Action | Owner | Manager | Member | Read-only |
|---|---|---|---|---|
| Send Invitations | ✅ | ✅ | ❌ | ❌ |
| Resend Invitations | ✅ | ✅ | ❌ | ❌ |
| Edit Role | ✅ | ✅* | ❌ | ❌ |
| Renew Invitations | ✅ | ✅ | ❌ | ❌ |
| Delete Invitations | ✅ | ✅* | ❌ | ❌ |
*Managers can only edit/delete invitations for roles equal to or below their level.
Role Assignment
When inviting members, you can assign:
- Owner - Full control including billing and deletion
- Manager - Manage team and projects (cannot delete team)
- Member - Work on assigned projects
- Read-only - View-only access to team resources
Troubleshooting
User Didn't Receive Invitation
Solutions:
- Check spam/junk folder
- Verify email address is correct
- Resend the invitation (generates new link)
- Check if invitation expired
Invitation Link Doesn't Work
Common Causes:
- Invitation was resent (old link invalidated)
- Invitation expired (after 7 days)
- Invitation was deleted by admin
- Token already used
Solutions:
- Request admin to resend invitation
- Check for newer invitation email
- Contact team administrator
Can't Accept Invitation
Requirements to accept:
- Must use the exact email address invited
- Invitation must not be expired
- Must have valid invitation token
- User account must match invited email
Multiple Invitations Received
If you receive multiple invitation emails:
- Only the most recent invitation is valid
- Old invitation links are automatically invalidated
- Use the latest email you received
Best Practices
For Administrators
- Double-check email addresses before sending invitations
- Assign appropriate roles based on user responsibilities
- Monitor pending invitations regularly
- Clean up expired invitations to keep the list manageable
- Resend rather than create new if user didn't receive email
- Document team access policies for consistency
For Invited Users
- Accept invitations promptly (before 7-day expiration)
- Check spam folder if you don't see the email
- Use the most recent invitation link if you received multiple
- Contact admin if issues rather than waiting for expiration
- Complete profile setup when accepting invitation
Security Features
Token Regeneration
When resending an invitation:
- ✅ New cryptographic token generated
- ✅ Old invitation link immediately invalidated
- ✅ Prevents use of compromised links
- ✅ Fresh 7-day expiration window
Audit Trail
All invitation actions are logged:
- Who sent the invitation
- When it was sent/resent/renewed
- Role changes
- Token regeneration events
- Acceptance or deletion
Access Control
The invitation system enforces:
- Role-based permissions for managing invitations
- Email verification during acceptance
- Token validation on every use
- Expiration checking
- Single-use token consumption
Related Topics: