Team Management and RBAC

Q: How does Govyn isolate data between organizations?

Every database row in Govyn is scoped by an organization ID. Agents, policies, API targets, action logs, approval items, and billing records all belong to a single organization. Queries are filtered by org_id at the database level, making cross-organization data access architecturally impossible. This is enforced in the Prisma schema, not just application code.

Q: What roles are available in Govyn?

Govyn supports three roles through Clerk: Admin (full access to team management, billing, settings, policies, and approvals), Member (manage agents, policies, logs, approvals, and API keys), and Viewer (read-only access to dashboards, logs, and metrics). Roles are assigned per organization and can be changed at any time.

Q: How do I invite someone to my organization?

Open the Govyn dashboard and navigate to your organization settings (powered by Clerk). Click Invite Member, enter the person's email address, select a role (Admin, Member, or Viewer), and send the invitation. The invitee receives an email with a link to join. Once they accept, they have immediate access to the organization's resources at the assigned permission level.

Q: Does each organization have its own billing?

Yes. Each organization has its own Stripe subscription. Plan limits — active agent count, log retention period, feature availability — are enforced per organization. One organization on the Starter plan and another on the Team plan operate completely independently. Upgrades and downgrades are managed through the Settings page in the dashboard.

Q: Is there an audit trail for team actions?

Yes. Govyn logs every significant action: policy creation and modification, agent configuration changes, API key generation and revocation, approval decisions, alert rule changes, and billing modifications. Each log entry includes who performed the action, what changed, and when. The audit trail is available in the dashboard and follows your plan's log retention period.

Q: Does Govyn support SSO?

SAML SSO is available on the Enterprise plan. It allows your team to authenticate using your existing identity provider (Okta, Azure AD, OneLogin, etc.). SSO enforces your organization's authentication policies — password requirements, MFA, session duration — without additional configuration in Govyn.

Q: Can one person belong to multiple organizations?

Yes. A single Clerk account can be a member of multiple Govyn organizations with different roles in each. The dashboard includes an organization switcher to move between organizations. Data, settings, and billing are completely isolated between organizations — switching orgs shows only that org's resources.

AI governance is not a solo activity. In any organization running AI agents in production, multiple people are involved: engineers building and deploying agents, security teams reviewing policies, managers monitoring costs, and on-call staff responding to alerts and approving requests. Each person needs access to the governance platform, but not necessarily the same level of access.

Govyn provides multi-user team management with role-based access control (RBAC) built on Clerk. Every team operates within an organization boundary. Data is isolated at the database level. Roles control what each team member can see and do. Billing is per-organization. The result is a governance platform that scales from a solo developer to a hundred-person team without compromising security or creating access confusion.

Organization-level isolation

Every team in Govyn operates within its own organization. An organization is the top-level boundary for all data, configuration, and billing. When you sign up for Govyn, a Clerk organization is created for you. Everything you configure — agents, policies, API keys, alert rules, approval workflows — belongs to that organization and is invisible to every other organization on the platform.

Organization isolation is not a feature flag or an application-level filter. It is enforced at the database schema level. Every table that stores tenant data includes an org_id column. Every query filters by org_id. There is no API endpoint, no dashboard view, and no administrative backdoor that can retrieve data from another organization. This is the same isolation model used by enterprise SaaS platforms that handle sensitive data.

The practical effect is simple: when you look at your dashboard, you see only your agents, your policies, your logs, and your costs. Your data does not appear in anyone else's dashboard. Their data does not appear in yours. There is no "shared" tier, no multi-tenant data mixing, and no risk of accidental cross-organization exposure.

Roles and permissions

Govyn uses Clerk's organization roles to control what each team member can access. Roles are assigned per organization — a person can be an Admin in one organization and a Viewer in another. Permissions are evaluated on every API request and every dashboard page load.

Admin

Admins have full access to everything within their organization. They can manage team members (invite, remove, change roles), manage billing (upgrade, downgrade, view invoices), configure all settings (alert rules, API targets, proxy configuration), create and modify policies, approve or deny requests in the approval queue, view all logs and metrics, and generate or revoke API keys. The person who creates the organization is automatically assigned the Admin role.

Member

Members can manage the operational aspects of the governance platform without access to billing or team management. Members can create and configure agents, create and modify policies, approve or deny requests in the approval queue, view logs and metrics, generate API keys for their own use, and configure alert rules. Members cannot invite or remove team members, change roles, or access billing settings.

Viewer

Viewers have read-only access to the dashboard, logs, and metrics. They can see agent activity, cost breakdowns, policy configurations, and approval history, but they cannot modify anything. The Viewer role is designed for stakeholders who need visibility into AI agent operations without the ability to change configurations — managers reviewing costs, compliance officers auditing policies, or executives monitoring overall agent activity.

Inviting team members

Adding someone to your Govyn organization takes less than a minute. The invitation flow is handled by Clerk and integrated directly into the Govyn dashboard.

Open organization settings — in the Govyn dashboard, navigate to your organization settings. This is powered by Clerk's organization management UI.
Click Invite Member — enter the email address of the person you want to invite.
Assign a role — select Admin, Member, or Viewer. You can change this later.
Send the invitation — Clerk sends an email with a link to join the organization.
Invitee accepts — the invitee clicks the link, creates a Clerk account if they do not have one, and joins the organization. Access is granted immediately at the assigned role level.

Invitations can be revoked before they are accepted. Team members can be removed at any time by an Admin. When a member is removed, their access to the organization's resources is revoked immediately — there is no grace period and no residual access.

Authentication

Govyn's authentication is powered entirely by Clerk. Clerk handles user registration, login, session management, and JWT token issuance. Govyn never stores passwords, never manages sessions directly, and never implements its own authentication logic.

Supported authentication methods:

Email and password — standard credential-based login with Clerk's built-in password policies.
Google OAuth — sign in with a Google account. Useful for teams already using Google Workspace.
GitHub OAuth — sign in with a GitHub account. Natural for engineering teams.
SAML SSO — Enterprise plan only. Connect your identity provider (Okta, Azure AD, OneLogin, PingFederate) for centralized authentication. SSO enforces your organization's password policies, MFA requirements, and session duration rules.

Every API request to the Govyn backend includes a JWT bearer token issued by Clerk. The backend validates the token signature, extracts the user identity and organization membership, and authorizes the request based on the user's role. Expired tokens are rejected. Invalid tokens are rejected. There is no API key fallback for human users — only JWT-authenticated sessions.

Per-org resource isolation

Organization isolation goes beyond access control. Every resource in Govyn is scoped to an organization at the data layer. Here is what is isolated:

Agents — each organization has its own set of agents. Agent names, configurations, and budgets are org-scoped. An agent named support-bot in Organization A is a completely different entity from support-bot in Organization B.
Policies — governance policies are defined per organization. One organization's model allowlist does not affect another organization's agents.
API targets — BYOK (bring your own key) provider credentials are stored per organization with AES-256-GCM encryption. Each organization manages its own OpenAI, Anthropic, and other provider API keys independently.
Action logs — every LLM request and response is logged under the organization that owns the agent. Log queries never return results from other organizations.
Approval queue — pending approvals, approval decisions, and approval history are all org-scoped. Approvers in one organization cannot see or act on approvals from another.
Alert rules and notification history — alert configurations and the history of sent notifications belong to the organization that created them.
API keys — proxy authentication keys (the gvn_-prefixed tokens agents use to authenticate against the proxy) are org-scoped and bcrypt-hashed.

This isolation is enforced by the Prisma schema and the API middleware. Every authenticated request resolves the user's Clerk organization ID to an internal organization ID, and every database query includes that organization ID as a filter. There is no global admin mode, no cross-org query capability, and no way to bypass the org scope.

Billing per organization

Each Govyn organization has its own Stripe subscription. Billing is completely independent between organizations. One organization can be on the Starter plan while another is on the Enterprise plan. Plan limits are enforced per organization:

Active agent limits — Starter plans allow up to 10 active agents per billing period. Team and Enterprise plans allow unlimited agents. An "active agent" is any unique X-Govyn-Agent header value that made at least one request in the current billing month.
Log retention — Starter plans retain 7 days of metadata and 24 hours of full payloads. Team plans retain 30 days of metadata and 7 days of payloads. Enterprise plans offer custom retention.
Feature gating — smart model routing is available on Starter and above. Approval queues and session replay are available on Team and above. SSO and SCIM are Enterprise only.

Plan changes are managed through the Settings page in the dashboard. Clicking "Manage Billing" opens the Stripe Billing Portal, where you can upgrade, downgrade, update payment methods, and view invoices. Plan changes take effect immediately — upgrading unlocks features instantly, and downgrading adjusts limits at the end of the current billing period.

Audit trail

Govyn maintains a comprehensive audit trail of every significant action within an organization. The audit trail is not just for compliance checkboxes — it is a practical tool for understanding what happened, who did it, and when.

Actions recorded in the audit trail include:

Policy changes — creation, modification, deletion, enable/disable toggles. The audit log captures the before and after state of every policy change.
Agent configuration — changes to agent names, budgets, and settings.
API key management — key generation and revocation. The audit log records who generated the key and when, without storing the key value itself.
Approval decisions — every approve and deny action is recorded with the reviewer's identity, the decision timestamp, and any note provided.
Alert rule changes — creation, modification, and deletion of alert rules.
Team membership changes — invitations sent, members added, members removed, role changes.
Billing changes — plan upgrades, downgrades, and subscription modifications.
API target changes — provider key additions, updates, and removals.

The audit trail is available in the dashboard and is retained according to your plan's log retention period. Team plans include full audit trail with 30-day retention. Enterprise plans offer extended retention suitable for compliance requirements in regulated industries.

SSO and SCIM

Enterprise organizations need centralized identity management. Govyn's Enterprise plan includes SAML SSO and SCIM provisioning through Clerk's enterprise features.

SAML SSO

SAML SSO allows your team to authenticate using your existing identity provider. Supported providers include Okta, Azure Active Directory, OneLogin, PingFederate, and any SAML 2.0-compliant IdP. When SSO is configured, team members sign in through your IdP's login page. Your organization's authentication policies — password complexity, multi-factor authentication, session timeouts, IP restrictions — are enforced automatically without any configuration in Govyn.

SSO eliminates password sprawl. Your team does not need to create and remember another set of credentials. When you enforce MFA in your IdP, every Govyn login requires MFA. When you set a session timeout, Govyn sessions expire on the same schedule. One policy, everywhere.

SCIM provisioning

SCIM (System for Cross-domain Identity Management) automates user lifecycle management. When you add a new employee in your identity provider and assign them to the Govyn application, SCIM automatically creates their Govyn account and adds them to the correct organization with the appropriate role. When an employee is offboarded — deactivated in your IdP — SCIM immediately deactivates their Govyn account and revokes all access.

Without SCIM, offboarding requires manual cleanup: someone has to remember to remove the departing employee from every SaaS tool. SCIM eliminates that gap. The moment an account is deactivated in your IdP, access is revoked across every SCIM-connected service, including Govyn. No orphaned accounts. No residual access. No security gaps during employee transitions.

Permission model comparison

Team management capabilities vary by plan. The following table summarizes what is available at each tier.

Capability	Free (self-hosted)	Starter	Team	Enterprise
Single user	Yes	Yes	Yes	Yes
Multiple users	No	Yes	Yes	Yes
Role-based access	No	Basic	Full	Full
SSO (SAML)	No	No	No	Yes
SCIM provisioning	No	No	No	Yes
Org isolation	N/A	Yes	Yes	Yes
Audit trail	No	Basic	Full	Full

The Free self-hosted tier provides the core proxy functionality for a single user. It does not include the dashboard, team management, or multi-user access. For teams, the Starter plan provides basic multi-user access with Admin and Member roles. The Team plan adds the Viewer role and full audit trail. The Enterprise plan adds SSO, SCIM, and custom retention.

Frequently asked questions

How does Govyn isolate data between organizations?

Every database row is scoped by an organization ID. Agents, policies, API targets, logs, approvals, and billing records all belong to a single organization. Queries are filtered by org_id at the database level, making cross-organization data access architecturally impossible. This is enforced in the Prisma schema, not just application code.

What roles are available in Govyn?

Govyn supports three roles: Admin (full access to team management, billing, settings, policies, and approvals), Member (manage agents, policies, logs, approvals, and API keys without billing or team access), and Viewer (read-only access to dashboards, logs, and metrics). Roles are assigned per organization.

How do I invite someone to my organization?

Open the Govyn dashboard, go to organization settings, click Invite Member, enter the email address, select a role (Admin, Member, or Viewer), and send the invitation. The invitee receives an email with a join link. Once they accept, they have immediate access at the assigned permission level. Invitations can be revoked before acceptance.

What authentication methods does Govyn support?

Govyn supports email and password, Google OAuth, GitHub OAuth, and SAML SSO (Enterprise plan). Authentication is powered by Clerk, which handles session management, JWT token issuance, and multi-factor authentication. All API requests are authenticated via JWT bearer tokens.

Does each organization have its own billing?

Yes. Each organization has its own Stripe subscription with independent plan limits. One organization can be on Starter while another is on Enterprise. Agent limits, log retention, and feature availability are all enforced per organization. Billing is managed through the Settings page in the dashboard.

Is there an audit trail for team actions?

Yes. Govyn logs every significant action: policy changes, agent configuration, API key generation/revocation, approval decisions, alert rule changes, team membership changes, and billing modifications. Each entry includes who performed the action, what changed, and when. The audit trail follows your plan's log retention period.

Does Govyn support SSO?

SAML SSO is available on the Enterprise plan. Connect your identity provider (Okta, Azure AD, OneLogin, PingFederate) for centralized authentication. SSO enforces your organization's password requirements, MFA policies, and session duration rules without any additional Govyn configuration.

What is SCIM provisioning?

SCIM (System for Cross-domain Identity Management) automates user lifecycle management. When you add or remove someone in your identity provider, SCIM automatically creates or deactivates their Govyn account. This eliminates manual user management and prevents orphaned accounts. SCIM is available on the Enterprise plan.

Can one person belong to multiple organizations?

Yes. A single Clerk account can belong to multiple Govyn organizations with different roles in each. The dashboard includes an organization switcher. Data, settings, and billing are completely isolated between organizations — switching orgs shows only that organization's resources.

Which plans include team management?

Single-user access is available on all plans. Multi-user team management with role-based access requires Starter ($29/mo) or above. Full RBAC with the Viewer role and complete audit trail is available on Team ($99/mo) and Enterprise. SSO and SCIM provisioning are exclusive to the Enterprise plan.

Add your team on Team plan

Full RBAC, unlimited agents, 30-day log retention, approval queues, and session replay. Start with a 14-day free trial at $99/mo.

Get started See pricing