AppStatus Documentation Hub for Production Operations
AppStatus

Docs > Getting Started > Getting Started with Team & Workspace

Getting Started with Team & Workspace

Overview

This guide introduces AppStatus Team and covers:

  • Workspace creation and multi-workspace switching
  • 4 roles: Owner, Admin, Contributor, Member with granular permissions
  • Individual and bulk CSV invitation workflows
  • Two-Factor Authentication (TOTP) with QR code setup
  • Session management with configurable timeouts
  • Audit logging for all privileged actions
  • API key management for programmatic access
  • Workspace security settings: IP whitelist, password policies, SSO

What are AppStatus Team?

Team & Workspace controls determine who can configure monitors, manage incidents, publish status updates, handle alerts, and access sensitive operational data. Every AppStatus account operates within workspaces — isolated environments with their own monitors, alerts, status pages, agents, and team members.

The workspace system supports multi-tenant operations where users can belong to multiple workspaces with different roles. A granular permission matrix controls 13 distinct capabilities per role, and sensitive operations like member removal, workspace deletion, and permission changes can require Two-Factor Authentication (TOTP) verification.

Key capabilities:

  • 4 workspace roles: Owner, Admin, Contributor, Member
  • 13 granular permissions: create/edit/delete monitors, manage team, manage billing, view audit logs, invite/remove members, create/edit/delete status pages, manage integrations, view analytics
  • Individual invitation with email + role assignment
  • Bulk CSV upload for batch team onboarding
  • Invitation links with 7-day expiry and token validation
  • Pending invitation tracking with cancel capability
  • TOTP 2FA with QR code (RFC 6238, HMAC-SHA1, 30-second window)
  • 2FA required for: permission updates, security settings, member removal, workspace deletion, agent deletion
  • Session management with configurable timeout (15–1440 minutes)
  • IP whitelist and strong password enforcement
  • Audit logging: action, resource, IP, user agent, success/failure, metadata
  • API key management for workspace programmatic access
  • Google OAuth integration for SSO
  • Multi-workspace switching with persistent workspace state

Team Workflows

Each workflow maps to real AppStatus features and API endpoints used in the main app.

Invite Workflow

Team users can be invited individually or in bulk CSV, with role assignment captured at invitation time.

  1. Use individual invite for one-off onboarding with email + role.
  2. Use CSV bulk import for batch onboarding and map role per email.
  3. Generate invite link for out-of-band sharing when needed.
  4. Track pending invitations and cancel stale requests.

Troubleshooting

Invitation email not received

Check the email address spelling. Invitations expire after 7 days — send a new one if expired. Check spam/junk folder. Verify the workspace invitation limit is not reached.

2FA code rejected

TOTP codes are time-based with a 30-second window. Ensure your authenticator app clock is synchronized. Try waiting for the next code. If locked out, contact the workspace owner.

Cannot change member role

Only Owner and Admin roles can change other members' roles. The operation requires 2FA if enabled (send code via X-2FA-Code header). You cannot change the role of the workspace owner.

Session timing out too quickly

The default session timeout is 30 minutes. Adjust in Security Settings (range: 15–1440 minutes). Changes require 2FA verification if enabled.

Audit logs not showing events

Audit logs are scoped to the current workspace. Filter by action type, date range, and user. Some actions (login, register) are recorded in the auth service, not the backend.

Bulk CSV import failing

CSV must contain valid email addresses (one per line or comma-separated). All emails in a batch receive the same role. Duplicate emails within the workspace are skipped. Maximum file size depends on server configuration.

Operational Guidance

  • Avoid shared user accounts for operational actions.
  • Use role-based groups instead of per-user exceptions.
  • Audit offboarding impact on alert and incident ownership.

Step-by-Step Setup

Team controls govern who can configure monitors, manage incidents and access sensitive data inside a workspace. AppStatus has four built-in roles (Owner / Admin / Member / Contributor) with granular permissions, plus 2FA enforcement and an audit log of every privileged action. Setting this up correctly on day one saves a lot of pain later.

Before you start

  • You are the workspace Owner or an Admin (other roles cannot manage team)
  • Your teammates have a working email address
  1. 1

    Open Team from the sidebar

    The Team page lists everyone in the workspace with their current role and last-active timestamp. Pending invitations show in a separate section at the top.

    WhereSidebar → Team
  2. 2

    Click "+ Invite member"

    A modal opens with two tabs: Single invite and Bulk invite. Use Single for adding one or two people; Bulk if you have a whole team to onboard from a CSV.

    WhereTeam → + Invite member
  3. 3

    Pick the right role

    Roles control what the user can do across the workspace. See the roles table below for the exact differences. Start cautious — promote later — rather than handing out Admin by default.

    WhereInvite modal → Role dropdown
  4. 4

    Send the invite

    AppStatus emails the invite immediately with a one-click accept link. The user creates their account (if they do not have one), accepts the workspace, and lands inside.

    WhereInvite modal → Send invite
    Tip

    Pending invitations expire after 7 days. Resend them from Team → Pending invitations → Resend.

  5. 5

    Bulk invite from CSV (optional)

    Switch to the Bulk invite tab and paste a CSV (or drag a file) with two columns: email and role. AppStatus validates the file before sending. Duplicate emails are deduped and existing members are skipped.

    WhereInvite modal → Bulk invite tab
  6. 6

    Change a role later

    On the Team page, click the role chip next to a member to change it. With workspace 2FA on, role changes require the actor to enter a verification code — this prevents a compromised session from promoting itself.

    WhereTeam → member row → Role chip → New role
  7. 7

    Enforce 2FA workspace-wide

    Open Workspace settings → Security and switch on "Require 2FA". Members without 2FA enabled are immediately prompted to set it up — they cannot make any privileged change until they do.

    WhereSidebar → Settings → Workspace → Security → Require 2FA
  8. 8

    Review the audit log

    The Audit log shows every privileged action with actor, target, timestamp and change details. Filter by user, action type, or date range. Export to CSV for compliance reviews.

    WhereSidebar → Settings → Workspace → Audit log

Configuration Options

Every option you can set, what each choice means, and what to pick. Use this as a reference while you fill in the form.

Built-in roles

Pick the least-privilege role that lets the person do their job. Promote later — never start with Admin.

FieldOptionsWhat it doesRecommended
OwnerOne per workspace (transferable)Full control + billing + workspace deletion. Cannot be revoked except by transfer.The person who created the workspace and pays the bill.
AdminMultiple allowedEverything except billing and workspace deletion: invite, role changes, monitors, alerts, status pages, integrations.Engineering leads and ops managers.
MemberMultiple allowedCreate/edit/delete monitors, alerts, status pages, incidents. Cannot invite users or change roles.The default for engineers actively building.
ContributorMultiple allowedRead everything. Can comment on incidents and acknowledge alerts. Cannot create or delete resources.For support, customer success, and read-only stakeholders.

Security options

FieldOptionsWhat it doesRecommended
Workspace 2FAOff / Required for privileged actions / Required for all loginsForces 2FA for the workspace.Required for privileged actions in any workspace with production data.
Session timeout8h / 24h / 7d / 30dHow long a member stays signed in before re-authenticating.8h for production-managing workspaces; 30d for casual use.
IP allow-listOff / List of CIDR rangesOnly allow workspace access from these networks.On for compliance-heavy customers; office and VPN ranges only.

Feature Reference

Every feature, where to find it in the app, and what it does. Use this when you know what you want to do but not where it lives.

FeatureWhere in appDescription
Invite single memberTeam → + Invite member → SingleSend one invitation with role assigned at invite time.
Bulk inviteTeam → + Invite member → BulkOnboard many users from a CSV in one batch.
Resend inviteTeam → Pending invitations → ResendRe-send the invite email; useful when the original was missed or expired.
Cancel inviteTeam → Pending invitations → CancelRevokes an unaccepted invitation.
Change roleTeam → member row → Role chipPromote or demote a member; requires 2FA when workspace 2FA is on.
Remove memberTeam → member row → ⋮ menu → RemoveImmediate access revocation — sessions invalidated, pending invites cancelled.
Workspace 2FASettings → Workspace → Security → Require 2FAForces 2FA on privileged actions or all logins.
Session timeoutSettings → Workspace → Security → Session timeoutHow long a member stays signed in before re-auth.
Audit logSettings → Workspace → Audit logAppend-only record of every privileged action; CSV exportable.

Next Steps

Continue building your monitoring stack:

Set up Monitors

Create health checks for your workspace.

Configure Alerts

Set up notification channels for your team.

Manage Incidents

Assign incident responders from your team.

Publish Status Pages

Control who can publish status updates.

Install the Agent

Deploy agents with workspace API keys.

Set up Heartbeats

Monitor scheduled jobs in your workspace.