Authentication
Roster uses Roster Auth for platform browser authentication and Roster identities for application authorization.
Core Concepts
Section titled “Core Concepts”| Concept | Purpose |
|---|---|
| Roster Auth user | Human authentication account and browser session owner. |
| Roster identity | Application actor used for authorization, ownership, API keys, and audit. |
| Team member | Roster identity linked to one Roster Auth user. |
| AI agent | Non-human Roster identity for agent-owned work or audit attribution. |
| Service account | Non-human Roster identity for automation or workload integrations. |
| API key | Bearer credential owned by a Roster identity. |
For team members, identities.id = identities.user_id = user.id. AI agents and
service accounts do not have Roster Auth user records.
Platform Roles
Section titled “Platform Roles”identities.role controls platform authorization:
| Role | Capability |
|---|---|
admin | Global administration and access to all projects. |
project_owner | Can create projects; existing project access is scoped by project membership. |
member | Authenticated user without project management rights by default. |
Per-project ownership is separate from the platform role and is stored through project membership.
Start Here
Section titled “Start Here”- Use Identity Providers for human login providers.
- Use Auth Methods for platform session, REST, MCP, CLI, and API-key access.
- Use Authorization for platform roles, project ownership, entity CRUD, and resolve access.