Team and billing
This page brings together team management, billing, API keys, and account security.
Team and seats
Every member of the workspace carries a role:
- member: everyday working access;
- admin: workspace and member management;
- owner: full control. Only an owner can grant the admin role.
You invite a person by email and assign them a role. An invite can be resent or revoked, and a member can be disabled. Invites are throttled to prevent abuse.
Each tier enforces a seat cap. The interface shows seats used, the cap, and seats available; some tiers are unlimited on seats.
Accepting an invite happens through a public tokenized join link that expires. The invited person opens it to join the workspace with the intended role.
Billing tiers
Annual billing gives two months free compared with monthly.
| Tier | Price | Records | Requests | Seats | API keys | Custom domain |
|---|---|---|---|---|---|---|
| Starter | $89 CAD / mo | 2,500 | 1,000 | 3 | 2 | no |
| Growth | $299 CAD / mo | 25,000 | 10,000 | 15 | 10 | yes |
| Business | $999 CAD / mo | 150,000 | unlimited | unlimited | unlimited | yes |
| Enterprise | custom | dedicated | dedicated | dedicated | dedicated | yes |
The Enterprise tier is not self-serve: it is arranged custom, with dedicated resources.
Billing on Stripe when configured
Billing runs on Stripe when it is configured, using Checkout and the Billing Portal. Outside production and without Stripe, a mock switch takes over. The payment-method summary comes from Stripe when billing is live.
API keys and scopes
API keys look like agr_live_.... Each key carries one or more scopes:
- check: check a consent cell;
- issue: issue a consent request;
- attest: attest an offline or manual consent.
At least one scope is required. The number of active keys is capped per plan. A key is revealed once, at creation: copy it then, because it is never shown again. A key can be revoked at any time.
For using keys in your calls, see the API reference.
Two-factor authentication and security
Two-factor authentication and account security are managed under the
personal profile, at /me/security. The methods on offer are:
- TOTP (authenticator app);
- email one-time code;
- passkey;
- recovery codes.
An owner can require multi-factor authentication for the whole workspace.
Next
- Domain and branding: domain verification,
the
did:webidentity, and the logo. - API reference: using keys and scopes.