Members
Users belong to workspaces as members, with roles that dictate their access levels.
Users belong to workspaces as members, with roles that dictate their access levels.
Listing Members
Members are listed in the dashboard settings area. The listMembers query in
packages/backend/convex/members.ts fetches the member list.
Because Better Auth owns the member table, this query calls the Better Auth API
(organizationApi.listMembers) under the hood and normalizes the results for
the frontend.
Updating Roles
Admins and Owners can update member roles using the updateMemberRole mutation.
Resource Policies
Role updates are protected by resource policies:
cannotModifyOwnerUnlessOwner: Ensures an Admin cannot demote an Owner or elevate someone else to Owner. Only Owners can manage Owners.
Step-Up Verification
Changing a member's role is a Level 3 sensitive action. The user performing the change must verify their identity (password, email code, or TOTP) or have a recent fresh session.
Removing Members
Admins and Owners can remove members using the removeMember mutation.
Resource Policies
Member removal is protected by:
cannotRemoveLastOwner: Prevents removing an Owner if they are the only Owner left in the workspace. This prevents orphaned workspaces.
Step-Up Verification
Removing a member is a Level 2 sensitive action. However, the system enforces a step-up escalation pattern:
If you are removing a member with an elevated role (Admin or Owner), the action temporarily escalates to Level 3, requiring explicit verification. Removing a standard Member or Viewer remains Level 2.
Member Management Toggle
If your product doesn't need team collaboration, member management can be
disabled entirely by setting allowMemberManagement: false in
packages/backend/convex/organizations/config.ts.
Next Reads
- Roles and Permissions — what each role can do.
- Invitations — how to add new members.