Skip to main content

Team Management

Collaborate with your team and manage access to your Perf account.

Overview

Team Management allows you to:
  • Invite team members with different permission levels
  • Control access to resources and features
  • Audit team activity
  • Manage API keys per team/project
  • Set up SSO and advanced authentication (Enterprise)
Access at: withperf.pro/settings/team

User Roles

Owner

Full administrative access Capabilities:
  • ✅ All permissions below
  • ✅ Transfer ownership
  • ✅ Delete account
  • ✅ Access billing and invoices
  • ✅ Manage team members
  • ✅ Configure SSO (Enterprise)
Limitations:
  • Only one owner per account
  • Cannot be removed without transferring ownership

Admin

Manage team and settings Capabilities:
  • ✅ Invite/remove team members (except Owner)
  • ✅ Create/revoke API keys
  • ✅ Configure routing rules
  • ✅ View all analytics and logs
  • ✅ Edit account settings
  • ✅ View billing (no payment changes)
  • ❌ Transfer ownership
  • ❌ Delete account
  • ❌ Update payment methods

Developer

Build and monitor integrations Capabilities:
  • ✅ Create API keys
  • ✅ View API keys they created
  • ✅ View analytics and logs
  • ✅ View routing rules
  • ✅ Export data
  • ❌ Invite team members
  • ❌ Revoke others’ API keys
  • ❌ Edit routing rules
  • ❌ View billing
  • ❌ Edit account settings

Viewer

Read-only access Capabilities:
  • ✅ View dashboard and analytics
  • ✅ View logs (with PII redaction)
  • ✅ Export reports
  • ❌ Create API keys
  • ❌ View full API keys
  • ❌ Edit any settings
  • ❌ View billing details

Custom Roles (Enterprise)

Create custom roles with granular permissions: 
Role: "Finance Team"
Permissions:
  ✅ View cost analytics
  ✅ View billing
  ✅ Export cost reports
  ❌ View logs
  ❌ View technical details
  ❌ Create API keys

Inviting Team Members

Step-by-Step

  1. Navigate to SettingsTeam
  2. Click Invite Member
  3. Enter email address
  4. Select role (Owner, Admin, Developer, Viewer)
  5. Optional: Add to specific projects
  6. Click Send Invitation

Invitation Flow

1. Email sent to invitee

2. Click invitation link

3. Create Perf account (if new user)

4. Accept invitation

5. Access granted
Invitation expiration: 7 days

Bulk Invitations (Enterprise)

Upload CSV to invite multiple members: 
email,role,projects
[email protected],Developer,production
[email protected],Viewer,all
[email protected],Admin,all

Managing Team Members

View Team

Team Members (12)

┌─────────────────────┬──────────┬──────────────┬────────────┬────────────┐
│ Name                │ Role     │ Projects     │ Last Login │ Actions    │
├─────────────────────┼──────────┼──────────────┼────────────┼────────────┤
│ You (Owner)         │ Owner    │ All          │ 2 min ago  │ -          │
│ Alice Developer     │ Admin    │ All          │ 1 hour ago │ Edit Remove│
│ Bob Engineer        │ Developer│ Production   │ 2 days ago │ Edit Remove│
│ Carol Data          │ Viewer   │ Analytics    │ 1 week ago │ Edit Remove│
└─────────────────────┴──────────┴──────────────┴────────────┴────────────┘

Edit Member

  1. Click Edit next to team member
  2. Change role or project access
  3. Click Save
Changes take effect immediately.

Remove Member

  1. Click Remove next to team member
  2. Confirm action
  3. Member loses access immediately
  4. Their API keys are revoked (optional)
Best Practice: Revoke API keys when removing members.

Projects & Workspaces

Organize your team around projects (Pro/Enterprise):

Creating Projects

Project: Production
  Members: Alice (Admin), Bob (Developer)
  API Keys: pk_live_prod_123, pk_live_prod_456
  Resources: Logs, Analytics, Settings

Project: Staging
  Members: Bob (Developer), Carol (Viewer)
  API Keys: pk_test_staging_789
  Resources: Logs, Analytics

Project: Analytics
  Members: Carol (Viewer), Finance Team (Custom)
  API Keys: None (read-only)
  Resources: Analytics only

Project Isolation

  • Members only see data from their assigned projects
  • API keys are scoped to projects
  • Billing can be tracked per project
  • Separate rate limits (Enterprise)

Project Permissions

Fine-tune access per project: 
Bob in Production Project:
  ✅ Create API keys
  ✅ View logs
  ✅ View analytics
  ❌ Edit routing rules (requires Admin)

Bob in Staging Project:
  ✅ Create API keys
  ✅ View logs
  ✅ View analytics
  ✅ Edit routing rules

API Key Management

Organization

Group API keys by:
  • Team member: Personal keys
  • Project: Shared project keys
  • Environment: Development, Staging, Production
  • Service: Microservice-specific keys

Key Ownership

┌────────────────────┬─────────────┬───────────┬─────────────┐
│ Key Name           │ Owner       │ Project   │ Last Used   │
├────────────────────┼─────────────┼───────────┼─────────────┤
│ Production API     │ Alice       │ Production│ 5 min ago   │
│ Staging API        │ Bob         │ Staging   │ 2 hours ago │
│ Analytics Sync     │ Carol       │ Analytics │ 1 day ago   │
│ Development        │ Bob         │ Dev       │ 3 days ago  │
└────────────────────┴─────────────┴───────────┴─────────────┘

Key Permissions

Control what each API key can do: 
API Key: pk_live_prod_123
Permissions:
  ✅ /v1/chat
  ✅ /v1/chat/stream
  ✅ /v1/metrics/*
  ❌ /v1/logs (PII concerns)
  ❌ Admin endpoints

Rate Limits:
  300 requests/minute
  100,000 requests/month

Expires: Never (manual rotation required)

Single Sign-On (Enterprise)

Supported Providers

  • SAML 2.0
    • Okta
    • Azure AD
    • Google Workspace
    • OneLogin
    • Custom
  • OAuth 2.0 / OIDC
    • GitHub
    • GitLab
    • Google
    • Microsoft

Configuration

  1. Navigate to SettingsSSO
  2. Select provider
  3. Configure SSO settings:
    • Entity ID
    • SSO URL
    • Certificate
  4. Test connection
  5. Enable SSO
  6. Optional: Enforce SSO (disable password login)

SAML Example (Okta)

Entity ID: https://withperf.pro
SSO URL: https://company.okta.com/app/perfai/sso/saml
Certificate: [Upload X.509 certificate]

Attribute Mapping:
  Email: user.email
  First Name: user.firstName
  Last Name: user.lastName
  Role: user.perfRole (custom attribute)

Just-In-Time Provisioning

Automatically create accounts when users log in via SSO: 
New user logs in via SSO

Perf creates account automatically

Assigns role based on SAML attribute

Adds to specified projects

User can access Perf immediately

Audit Logs

Track all team activity for security and compliance.

Logged Events

User Management:
  • Member invited/removed
  • Role changed
  • Project access modified
API Key Management:
  • Key created/revoked
  • Key permissions changed
  • Key used from new IP
Settings Changes:
  • Routing rules modified
  • Budget limits changed
  • SSO configuration updated
Data Access:
  • Logs viewed
  • Reports exported
  • API access

Audit Log View

┌─────────────────────┬────────────┬─────────────┬──────────────────────┐
│ Timestamp           │ User       │ Action      │ Details              │
├─────────────────────┼────────────┼─────────────┼──────────────────────┤
│ 2024-01-30 14:32:15 │ Alice      │ Invited user│ [email protected]
│ 2024-01-30 13:45:22 │ You        │ Created key │ Production API       │
│ 2024-01-30 10:15:03 │ Bob        │ Exported    │ Logs (1000 records)  │
│ 2024-01-29 16:22:44 │ Alice      │ Changed role│ Carol: Viewer→Admin  │
│ 2024-01-29 09:30:11 │ Carol      │ Viewed logs │ call_abc123          │
└─────────────────────┴────────────┴─────────────┴──────────────────────┘

Filtering & Export

  • Filter by user, action type, date range
  • Export to CSV for compliance
  • Retention: 1 year (Enterprise: up to 7 years)

Access Patterns & Anomalies

Unusual Activity Detection

Perf automatically flags suspicious behavior: 
⚠️ Anomaly Detected
User: [email protected]
Activity: Downloaded 10,000 log records (10x normal)
Time: 2024-01-30 03:45 AM (unusual hour)
IP: 203.0.113.42 (new location: Romania)

Actions:
  [Notify User] [Suspend Account] [Dismiss]

Activity Patterns

Visual timeline of user activity: 
Bob's Activity (Last 30 Days)

API Calls:     ████████░░░░░░░░████████░░░░░░░░
Log Views:     ██░░░░░░░░░░░░░░░░░░░░░░██░░░░░░
Exports:       ░░░░░░░░░░░░░░█░░░░░░░░░░░░░░░░░

Peak Hours: 9-11 AM, 2-4 PM UTC
Devices: MacBook Pro, iPhone
Locations: San Francisco (95%), New York (5%)

Notifications

Configure team notifications for key events:

Notification Types

Invite & Access:
  • Member invited
  • Member joined
  • Role changed
  • Access granted to new project
Security:
  • New device login
  • Login from new location
  • API key created/revoked
  • Unusual activity detected
System:
  • Budget threshold reached
  • Rate limit exceeded
  • Quality degradation detected

Notification Channels

  • Email: Individual or digest
  • Slack: Post to channel
  • Webhook: POST to your endpoint
  • In-app: Dashboard notifications

Configuration

Notification: Member Invited
  Channels: Email, Slack
  Recipients: Admins only
  Frequency: Immediate

Notification: API Key Created
  Channels: Email, Webhook
  Recipients: Admins + Creator
  Frequency: Immediate

Best Practices

Role Assignment

  • Use Owner sparingly (1-2 people max)
  • Assign Admin to trusted leads
  • Most engineers should be Developers
  • Use Viewer for stakeholders, finance, support

API Key Hygiene

  • Create separate keys per environment
  • Rotate keys every 90 days
  • Revoke keys when team members leave
  • Use descriptive names: “Production-API-v2” not “key123”

Project Structure

Good Structure:
  Production (Alice, Bob)
  Staging (Bob, Carol, Dan)
  Development (All Developers)
  Analytics (Carol, Finance Team)

Bad Structure:
  Project1 (Everyone)
  Project2 (Everyone)
  Test (Everyone)

Regular Reviews

  • Weekly: Review active API keys
  • Monthly: Review team member access
  • Quarterly: Audit permissions and roles
  • Yearly: Review SSO configuration

Offboarding Checklist

When a team member leaves:
  1. ✅ Remove from team
  2. ✅ Revoke all their API keys
  3. ✅ Review audit logs for their activity
  4. ✅ Transfer ownership of any resources
  5. ✅ Update SSO/directory service
  6. ✅ Rotate any shared credentials
  7. ✅ Document in offboarding log

Enterprise Features

Directory Sync (SCIM)

Automatically sync team from your identity provider: 
Your Directory (Okta/Azure AD)
  ↓ Automatic Sync
Perf Team
  - New users auto-created
  - Removed users auto-deactivated
  - Role changes synced

Advanced Permissions

Custom Permission: "Data Scientist"
  ✅ View all analytics
  ✅ Export raw data
  ✅ Create custom reports
  ✅ Access embeddings/vectors
  ❌ View logs
  ❌ Create API keys
  ❌ Access billing

IP Allowlisting

Restrict access to specific IP ranges: 
Allowed IPs:
  203.0.113.0/24 (Office)
  198.51.100.42 (VPN)
  192.0.2.0/24 (Data Center)

Block all other IPs: ✅

Next Steps

Support