Roles & permissions
Toado has four roles: Owner, Admin, Member, Viewer. Each is scoped to one company; a user’s role can differ across companies.
The matrix
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| View tickets, comments, captures | ✓ | ✓ | ✓ | ✓ |
| Search across the company | ✓ | ✓ | ✓ | ✓ |
| Capture from the extension | ✓ | ✓ | ✓ | ✗ |
| Edit own tickets | ✓ | ✓ | ✓ | ✗ |
| Edit any ticket in the company | ✓ | ✓ | ✗ | ✗ |
| Add comments | ✓ | ✓ | ✓ | ✗ |
| Move tickets | ✓ | ✓ | ✓ | ✗ |
| Assign / unassign tickets | ✓ | ✓ | ✓ | ✗ |
| Archive / restore tickets | ✓ | ✓ | ✓ | ✗ |
| Create projects | ✓ | ✓ | ✗ | ✗ |
| Configure project settings (columns, URL patterns) | ✓ | ✓ | ✗ | ✗ |
| Invite members | ✓ | ✓ | ✗ | ✗ |
| Change member roles | ✓ | ✓ (except Owner) | ✗ | ✗ |
| Remove members | ✓ | ✓ (except Owner) | ✗ | ✗ |
| Manage company billing | ✓ | ✗ | ✗ | ✗ |
| Delete the company | ✓ (last action of last owner) | ✗ | ✗ | ✗ |
| Create personal API tokens | ✓ | ✓ | ✓ | ✗ |
Role choice cheat sheet
- Owner: founder, billing-payer, last-resort admin. Usually 1 to 2 per company.
- Admin: senior teammates who manage projects and members but should not touch billing.
- Member: the default. Can do every per-ticket and per-project thing without administrative power.
- Viewer: read-only. Useful for stakeholders, observers, or anyone who should see but not touch.
When in doubt, pick Member. You can promote later with one click.
Project-restricted access
When inviting (or editing a member), you can restrict their access to specific projects. A project-restricted Member sees only the projects they have access to and cannot see other projects’ tickets in search.
Use cases:
- A contractor who should only see one project.
- A client viewer for a specific delivery.
- An agency setup where each client is one project and members map to clients.
Changing a role
Settings › Members › (pick a member) › Change role.
Pick the new role, save. Effective immediately.
Constraints:
- Only Owners can promote someone to Owner.
- Only Owners can demote another Owner.
- Admins can change any non-Owner role.
- The last Owner cannot be demoted (promote someone else to Owner first).
API token scopes vs. roles
Roles govern what you can do in the web app. Token scopes govern what an API token can do via REST or MCP, and are bounded by the token owner’s role.
Example: an Admin creates a token with tickets:write scope. That token can do everything Admins can do that the scope allows. If the same Admin is later demoted to Viewer, their tokens stop working for everything except read.
In practice: tokens follow the token owner’s role. Demote someone, their tokens narrow. Remove someone, their tokens are revoked. See API tokens.
Where to next
- Invitations for adding teammates.
- API tokens for the token model.
- Companies & projects for the underlying data model.