Workspace & Members
Workspace
Section titled “Workspace”A workspace is your team’s account. It’s created automatically when you first log in. Every user gets their own workspace, and can be invited to others.
envsh workspace# ID: abc123-...# Name: alice@example.com# Slug: alice# Role: adminMultiple workspaces
Section titled “Multiple workspaces”You can belong to multiple workspaces — your own, plus any you’ve been invited to.
List all workspaces
Section titled “List all workspaces”envsh workspace list# NAME SLUG ROLE ID# alice@example.com alice admin abc123-...# Acme Corp acme member def456-...Switch workspace
Section titled “Switch workspace”envsh workspace switch def456-...# ok: Switched to workspace Acme CorpAfter switching, all commands (push, pull, project list, etc.) operate in the context of the selected workspace.
Invite a member
Section titled “Invite a member”Admin only.
envsh invite bob@example.com# ok: Invited bob@example.com as member
# Invite as adminenvsh invite carol@example.com --role admin# ok: Invited carol@example.com as adminAfter being invited, Bob can envsh login with his email. No separate acceptance step — the invite creates his user record immediately. He then runs envsh workspace list to see the new workspace and envsh workspace switch to enter it.
List members
Section titled “List members”envsh members# EMAIL ROLE ID# alice@example.com admin abc123-...# bob@example.com member def456-...Remove a member
Section titled “Remove a member”Admin only. You cannot remove yourself.
envsh remove bob@example.com# ok: Removed bob@example.com from workspaceWhat happens on removal
Section titled “What happens on removal”- Instant access revocation — Bob is immediately blocked from all workspace API calls (push, pull, list projects, etc.). No need to wait for his JWT to expire.
- Workspace switching still works — Bob can run
envsh workspace listandenvsh workspace switchto return to his own workspace. - Existing ciphertext is immutable — Old secret versions remain encrypted with Bob’s key. If Bob previously pulled and saved plaintext locally, removing him doesn’t delete that. Rotate any secrets Bob had access to.
- Future pushes exclude Bob — New pushes won’t include his key as a recipient.
| Role | Capabilities |
|---|---|
| admin | Invite/remove members, create/delete projects, create/revoke machines, manage SSH keys, push, pull, view audit log |
| member | Push, pull, manage their own SSH keys |
Two roles. No granular per-environment permissions. If you’re on the team, you’re trusted.