# Permissions

Tokay separates the resources an identity can reach from the actions a credential can perform. Memberships define the first boundary. API token grants define the second. A request is allowed only when both permit it.

This lets a person have broad access in the dashboard while giving a script or AI agent a narrower credential for one job.

## Workspace membership establishes the outer boundary

Workspace roles are Owner, Admin, and Member.

- **Owner** and **Admin** can operate the full Workspace, including its Projects and code.
- **Member** has no Project or repository access until those grants are added.

Every Workspace has an Owner. Ownership is transferred deliberately rather than through a normal invitation.

## Project roles control application operations

Project roles are Admin, Member, and Viewer.

- **Admin** operates the Project and manages its membership.
- **Member** deploys and configures its Services.
- **Viewer** sees status and safe identifying information without making changes.

A person who operates a Project can view the source used by its Services because the code is part of understanding and diagnosing the application. Project Viewers see status rather than source.

## Repository roles control the code

Repository roles are Read, Write, and Admin.

- **Read** can view and clone.
- **Write** can change the code.
- **Admin** can also manage repository access and lifecycle.

Repository permission is separate from Project permission because one repository can supply Services to several Projects.

## Token grants narrow API authority

Dashboard sessions use the full authority of the identity that signed in. API tokens can carry a smaller list of action grants.

A token never exceeds the live memberships of its owner. Removing Project access or Workspace membership narrows every related token on the next request. Git credentials are narrower again and work only for repository operations. See [SSH keys and git tokens](ssh-keys-and-git-tokens.md).

## App visitors use a different access model

Workspace, Project, and repository permissions are for people and agents that manage Tokay. People who use your deployed apps are visitors. They sign in through Project access rules, while scripts that call those apps use machine tokens.

See [Who can open your app](who-can-open-your-app.md) and [Machine tokens](machine-tokens.md). A machine token can open an app but cannot manage Tokay.
