Workspaces
Centralized team-scoped tenancy shared across every Misar product, with an owner > admin > member role hierarchy.
The Workspaces API is the single source of truth for teams (workspaces/agencies) across the Misar ecosystem. A workspace is a shared tenant that groups users under one owner. MisarMail, MisarReach, MisarPost, and any other Misar product read membership from this centralized store — there is no per-product workspace table.
What's included:
List & Create
List the workspaces a user belongs to and create new ones.
Manage Workspace
Fetch, rename, and delete a single workspace.
Members
List members, invite by email, and remove members.
Access Check
The membership check products call to gate a workspace's data.
SDK
TypeScript SDK (@misar/workspace) for server-to-server access.
Role hierarchy
Every membership carries one of three roles, ranked highest to lowest:
| Role | Rank | Can |
|---|---|---|
| owner | 3 | Everything, including deleting the workspace. Exactly one per workspace — the creator. Cannot be removed. |
| admin | 2 | Rename the workspace, invite members, and remove non-owner members. |
| member | 1 | Read the workspace and its member list. |
Endpoints enforce a minimum role: an action requiring admin is also permitted for owner. The owner is resolved from the workspaces.owner_id column, so ownership never depends on a membership row.
Pending invites
Members are invited by email. When you invite someone:
- If a Supabase user already exists for that email, they are attached immediately as an
activemember with a resolveduser_id. - If no user exists yet, a pending invite row is created with
status: "invited",user_id: null, and the email stored ininvited_email. The row is claimed automatically once that person signs up.
How products enforce access
Products never query the workspace tables directly. To gate a workspace's data, a product calls the access check endpoint (or the SDK's checkAccess) with the acting user_id and the target workspace_id, then serves data only when allowed is true.
Base URL
All Workspaces endpoints are served under:
https://api.misar.io/io/workspacesAuthentication
Two auth modes are supported:
| Mode | Header | Use case |
|---|---|---|
| SSO bearer | Authorization: Bearer <access_token> | First-party misar.io UI |
| Service key | x-workspace-service-key: <key> + ?user_id=<uuid> | Server-to-server (MisarMail, MisarReach, MisarPost) |
See Authentication for details.