MisarMisar Docs
MisarMailMisar.BlogMisarReachMisarPostMisar.DevMisarSEOMisar PlatformMisar SSO

Workspaces

Centralized team-scoped tenancy shared across every Misar product, with an owner > admin > member role hierarchy.

The Workspaces API is the single source of truth for teams (workspaces/agencies) across the Misar ecosystem. A workspace is a shared tenant that groups users under one owner. MisarMail, MisarReach, MisarPost, and any other Misar product read membership from this centralized store — there is no per-product workspace table.

What's included:

Role hierarchy

Every membership carries one of three roles, ranked highest to lowest:

RoleRankCan
owner3Everything, including deleting the workspace. Exactly one per workspace — the creator. Cannot be removed.
admin2Rename the workspace, invite members, and remove non-owner members.
member1Read the workspace and its member list.

Endpoints enforce a minimum role: an action requiring admin is also permitted for owner. The owner is resolved from the workspaces.owner_id column, so ownership never depends on a membership row.

Pending invites

Members are invited by email. When you invite someone:

  • If a Supabase user already exists for that email, they are attached immediately as an active member with a resolved user_id.
  • If no user exists yet, a pending invite row is created with status: "invited", user_id: null, and the email stored in invited_email. The row is claimed automatically once that person signs up.

How products enforce access

Products never query the workspace tables directly. To gate a workspace's data, a product calls the access check endpoint (or the SDK's checkAccess) with the acting user_id and the target workspace_id, then serves data only when allowed is true.

Base URL

All Workspaces endpoints are served under:

https://api.misar.io/io/workspaces

Authentication

Two auth modes are supported:

ModeHeaderUse case
SSO bearerAuthorization: Bearer <access_token>First-party misar.io UI
Service keyx-workspace-service-key: <key> + ?user_id=<uuid>Server-to-server (MisarMail, MisarReach, MisarPost)

See Authentication for details.