Teams & Access Control

Ephos allows organizations to securely manage non-human identities across teams, agents, and autonomous workflows without exposing shared credentials or sacrificing developer autonomy.

Organizational Identity Model

When you create an Organization in Ephos, Phantom Keys, Ephos Tokens, audit logs, and runtime permissions are tied to the organization's security boundary rather than a single personal account.

Org Admins

Phantom Keys / Ephos Tokens

  • View all Phantom Keys and Ephos Tokens added to the organization by any member.
  • Generate shared or member-assigned Ephos Tokens for agents, developers, and workflows.
  • Rotate, revoke, purge, or freeze delegated identities at any time.
  • Apply organization-wide security freeze or unfreeze controls across org vaults.
  • Configure service scopes, permitted domains, and expiration windows.
  • Remove members and immediately purge credentials shared with them.

Forensic Audit Logs

  • View all organizational activity.
  • Inspect every proxied request and administrative action.
  • Export immutable forensic audit logs at any time.
  • Trace activity by acting user and Ephos Token ID.

Org Members

Phantom Keys / Ephos Tokens

  • View and use globally shared identities created by an Admin.
  • View, access, rotate, or revoke identities assigned directly to them.
  • Add member-owned identities within the organization boundary.
  • Assigned token visibility is privacy-gated and scoped per member.
  • All member identity actions appear in forensic audit logs.

Forensic Audit Logs

  • View only their own activity and assigned token execution history.
  • Cannot export organization-wide audit logs.
  • Unauthorized retrieval attempts trigger ACCESS_RESTRICTED enforcement.

Adding Members & Organization Limits

Depending on your subscription tier, you can invite additional members to your organization:

  • Free Tier: Solo workspace only
  • Plus Tier: Up to 3 members
  • Pro Tier: Up to 10 members

Organizational Billing

Paid subscriptions are Organization-exclusive. You must create an Organization to upgrade your usage limits and manage team access.

Members can be managed directly from the Subscription & Usage section of your dashboard settings. From there, you can send invites, manage roles, remove users, and control organization-level access.

Zero-Knowledge Backups, Sharing & Rotation

Organization identities are secured by the shared Organization Passphrase while preserving Ephos' zero-knowledge posture across the team lifecycle.

  • Cryptographic Handshake: When a member joins the organization, the admin's browser wraps the Organization Master Passphrase using the member's personal derived passphrase and stores the encrypted payload. When the member logs in, their browser unwraps the shared passphrase locally after verification.
  • Persistent Backups: Encrypted identity secrets are backed up using the Organization Master Passphrase, enabling recovery without server-side plaintext access.
  • Dual-Tier Rotation: Admins can rotate master Phantom Keys and organization vault material. Members can rotate their own assigned Ephos Tokens. Token rotation preserves scopes, permitted domains, assignments, and metadata.
  • Ownership Transfer: Admins can execute secure cryptographic handovers directly from dashboard settings.

Token Scoping & Entitlements

When issuing an Ephos Token to a team member or agent, Admins define precise runtime boundaries:

  • Service Scopes: Lock tokens to specific target services, preventing access to unauthorized credentials within the organization vault.
  • Permitted Domains: Restrict outbound proxy execution to approved external hostnames, such as api.openai.com.
  • Time-Based Expiration: Assign an explicit expiresAt timestamp to automatically invalidate delegated agent access without manual revocation.