Organizations
Orgs are the unit of membership and billing — members, roles, and switching.
An organization is the unit of membership and billing in Kisenon. Every project — and therefore every branch, endpoint, role, and database under it — belongs to exactly one organization.
What an organization is
When you sign in for the first time, Kisenon creates a personal organization for you and makes you its owner. You can work entirely within it, or create a team organization later and invite others.
Organizations own the things membership and money attach to:
- Projects. Every project lives in one organization; project names only need to be unique within it.
- Billing. Plan, quotas, and usage are tallied per organization.
- Audit. The operations log is org-scoped — every member can read the activity for every project in the organization.
Members & roles
Each membership carries one of four roles. The console pre-gates the UI
by role; the control plane enforces the same floor server-side, so a
client that skips the gate still gets a 403. Each action has a
minimum role — anyone at or above it may perform it.
| Action | Minimum role |
|---|---|
| Create project | member |
| Delete project | admin |
| Create branch | member |
| Delete branch | member |
| Start endpoint | member |
| Stop endpoint | member |
| Create API key | member |
| Invite a member | admin |
| Remove a member | admin |
| Rename the org | admin |
| Manage billing | owner |
| Delete the org | owner |
Roles are ranked viewer < member < admin < owner. A viewer
is read-only; a member can build (projects, branches, endpoints,
keys) but not manage people; an admin adds member and invitation
management; an owner additionally controls billing, ownership
transfer, and deletion.
Switching organizations
The active organization is part of your session. The org switcher sits in the top bar of the console: it shows the active org and a dropdown of every org you belong to, each tagged with your role there.
Picking another org POSTs to /api/auth/switch-org, which re-mints your
session token scoped to the target org and reloads into its projects.
From the same dropdown you can also reach Members and Org
settings, or create a new organization.
On the CLI, the active org is per-credential. Set it with:
keon orgs switch <org-id>which writes default_org_id into your stored credentials. You can
override it for a single invocation with --org-id or the
KEON_ORG_ID environment variable. Each API key is bound to an
organization when it is created; the control plane authorizes that key
against its bound org only.
Managing
- Rename. Under Org settings → Identity, admins and above can rename the organization.
- Member roles. From the org's Members page, admins and above change a member's role or remove them. The control plane rejects any change that would demote or remove the last owner.
- Leaving. The Danger Zone in Org settings (and
keon orgs leave) removes you from the organization. If you are the sole owner, the control plane blocks the request — promote someone else, or transfer ownership, before you leave.
Related
- Invitations — adding people to an organization.
- Billing — plan, quotas, and usage, scoped per org.
- Projects — what an organization contains.