Access Control.
7-day free trial · Cancel anytime · Pay with card, PayPal, or USDT
# team page — sub-users with explicit scope
owner@acme.com OWNER webauthn enrolled
ops@acme.com OPERATOR last seen 4 min ago
saurav@acme.com OPERATOR last seen 1 h ago
finance@acme.com BILLING invoices + payment methods only
viewer@partner.com VIEWER read-only — no actions
contractor@temp.com OPERATOR invite expires 2026-06-30
# audit log — every action attributed
2026-05-21 09:42:17 ops@acme.com 192.0.2.41 server.resized prod-1 → CCX23
2026-05-21 09:38:04 saurav@acme.com 198.51.100.7 trunk.created twilio-out
2026-05-21 09:31:55 owner@acme.com 203.0.113.9 user.invited contractor@temp.com (OPERATOR, exp 2026-06-30)What you get
The full access control surface, end-to-end.
Every card below is a shipped capability. Hover for emphasis; click any matching feature for the deep page.
Three roles, narrow scopes
OPERATOR — full server management except billing and team changes. VIEWER — read-only across the account; cannot edit a dispo or restart a service. BILLING — invoices, payment methods, dunning state; no server access. The owner is implicit and has everything.
Sub-user invites with expiry
Invites send a magic link, expire after a window you choose (most operators use 7 days), and can be revoked before acceptance. After acceptance the membership row carries the role; revoking is one click and severs the SSH key sync in the same transaction.
SSH key sync to authorized_keys
Add an SSH public key in the dashboard; it lands in the right user's authorized_keys on every server you have access to. Remove the key; it leaves authorized_keys before the next dial. No "log in as root and edit" step. Per-user keys, not a shared root key.
WebAuthn for owners
Owners enrol a passkey (Touch ID, Windows Hello, a hardware key) for the account login. The device is the second factor — no SMS, no TOTP screenshots in shared folders. Recovery codes printable from the security page.
Audit log on every state change
Server resize, trunk create, sub-user invite, payment method change, recipe override, firewall rule add — every action lands in the audit log with actor, IP, user-agent, and a structured diff. Search by actor or resource ID; export as JSON or CSV.
Replayable SSH sessions
When someone does log into the box, the session is captured as an asciinema cast. Tied to the dashboard user that initiated the SSH, even when they authenticated with an SSH key. Filed under the firewall feature; cross-linked here because access does not stop at the dashboard boundary.
Server-side enforcement
Roles are checked on the server, not in the UI. A VIEWER who hits a mutation endpoint directly gets a 403; the dashboard hiding the button is a courtesy, not the security. Plan limits, sub-user actions, and coupon enforcement all live behind getCurrentMembership() at the route boundary.
No nested sub-accounts
A sub-user is a member of your account, not the owner of a child account. They cannot create their own sub-users; they do not see your billing if they are an operator. If you want a separate billing entity, that is a separate account — and our reseller program exists for the case where you want billing to flow to you and your customer to see their own dashboard.
The team page and audit log. Roles map to actual capability scopes — billing cannot create servers, viewers cannot dial anything, operators do not see card numbers. Owners get WebAuthn for the credential they actually care about.
FAQ
Questions worth answering
Stop sharing the root password.
Start the trial. Invite teammates with operator / viewer / billing scopes on day zero. SSH keys sync, WebAuthn enrols, every action is audit-logged. Revoking access is one click.