Users & Permissions
Manage team members, send invites, and control access with role-based permissions.
Users & Permissions
Templated uses role-based access control (RBAC) to manage who can do what within an account. Every account member has a role that determines their permissions.
Roles
There are four roles, each with an explicit set of permissions. Roles are not hierarchical — each role declares its own permissions independently.
| Role | Description |
|---|---|
| Owner | Full control over the account, including billing, ownership transfer, and deletion. One per account. |
| Admin | Everything except billing and ownership. Can manage team members, integrations, and all templates. |
| Editor | Create and edit templates, export, and view team members. Cannot manage members or account settings. |
| Reviewer | Read-only access. Can view templates and team members but cannot create or modify anything. |
Members
List members
Returns all members of the account. Any authenticated member can call this endpoint.
curl -b cookies.txt \
https://app.templated.email/api/accounts/{slug}/membersRequired permission: member:view (all roles)
Response
{
"members": [
{
"id": "mem_abc123",
"userId": "usr_def456",
"email": "owner@example.com",
"name": "Jane Smith",
"image": "https://example.com/avatar.jpg",
"role": "owner",
"joinedAt": "2024-01-15T09:30:00.000Z"
},
{
"id": "mem_ghi789",
"userId": "usr_jkl012",
"email": "editor@example.com",
"name": "Alex Chen",
"image": null,
"role": "editor",
"joinedAt": "2024-03-22T14:15:00.000Z"
}
]
}Update member role
Change a member's role. You cannot change the owner's role — use ownership transfer instead.
curl -b cookies.txt -X PATCH \
https://app.templated.email/api/accounts/{slug}/members/{memberId} \
-H "Content-Type: application/json" \
-d '{ "role": "admin" }'Required permission: member:role:change (owner, admin)
Request body
| Field | Type | Required | Description |
|---|---|---|---|
role | string | Yes | New role: "admin", "editor", or "reviewer" |
Response
{
"message": "Role updated",
"member": {
"id": "mem_ghi789",
"role": "admin"
}
}Role change restrictions
- Owner role cannot be assigned via this endpoint. The
rolefield only acceptsadmin,editor, orreviewer. - Owner's role cannot be changed. Returns
400with:"Cannot change the owner's role. Use transfer ownership instead." - Admins cannot change other admins' roles. Only the owner can change an admin's role. Returns
403if a non-owner attempts this.
Remove member
Remove a member from the account. The member loses all access immediately.
curl -b cookies.txt -X DELETE \
https://app.templated.email/api/accounts/{slug}/members/{memberId}Required permission: member:remove (owner, admin)
Response
{
"message": "Member removed"
}Removal restrictions
- The owner cannot be removed. Returns
400with:"The account owner cannot be removed. Use transfer ownership first." - Admins cannot remove other admins. Only the owner can remove an admin. Returns
403. - You cannot remove yourself via this endpoint. Returns
400with:"Use the leave endpoint to remove yourself from an account."
Invites
List pending invites
Returns all pending invites for the account.
curl -b cookies.txt \
https://app.templated.email/api/accounts/{slug}/invitesRequired permission: member:invite (owner, admin)
Response
{
"invites": [
{
"id": "inv_abc123",
"email": "new-member@example.com",
"role": "editor",
"status": "pending",
"invitedBy": {
"id": "usr_def456",
"name": "Jane Smith",
"email": "owner@example.com"
},
"createdAt": "2024-06-01T10:00:00.000Z",
"expiresAt": "2024-06-08T10:00:00.000Z"
}
]
}Send invite
Invite someone to join the account by email. The invitee receives an email with a link to accept. Invites expire after 7 days.
curl -b cookies.txt -X POST \
https://app.templated.email/api/accounts/{slug}/invites \
-H "Content-Type: application/json" \
-d '{
"email": "new-member@example.com",
"role": "editor"
}'Required permission: member:invite (owner, admin)
Request body
| Field | Type | Required | Description |
|---|---|---|---|
email | string | Yes | Email address of the person to invite |
role | string | Yes | Role to assign: "admin", "editor", or "reviewer" |
Response 201 Created
{
"message": "Invite sent",
"invite": {
"id": "inv_abc123",
"email": "new-member@example.com",
"role": "editor",
"expiresAt": "2024-06-08T10:00:00.000Z"
}
}Invite restrictions
- Cannot invite yourself. Returns
400. - Cannot invite an existing member. Returns
409with:"This person is already a member of this account." - Cannot send a duplicate invite. If a pending invite already exists for that email, returns
409with:"An invite has already been sent to this email." - Seat limits apply. If the account has reached its plan's team member limit, returns
403with codeSEAT_LIMIT_REACHED.
Revoke invite
Cancel a pending invite before it is accepted.
curl -b cookies.txt -X DELETE \
https://app.templated.email/api/accounts/{slug}/invites/{inviteId}Required permission: member:invite (owner, admin)
Response
{
"message": "Invite cancelled"
}Returns 404 if the invite does not exist or has already been accepted/declined.
Permission reference
The complete mapping of roles to permissions. A checkmark means the role has that permission.
Template permissions
| Permission | Owner | Admin | Editor | Reviewer |
|---|---|---|---|---|
template:create | yes | yes | yes | |
template:view | yes | yes | yes | yes |
template:edit:own | yes | yes | yes | |
template:edit:any | yes | yes | ||
template:delete:own | yes | yes | yes | |
template:delete:any | yes | yes | ||
template:export | yes | yes | yes |
Team permissions
| Permission | Owner | Admin | Editor | Reviewer |
|---|---|---|---|---|
member:view | yes | yes | yes | yes |
member:invite | yes | yes | ||
member:remove | yes | yes | ||
member:role:change | yes | yes |
Account permissions
| Permission | Owner | Admin | Editor | Reviewer |
|---|---|---|---|---|
account:settings:view | yes | yes | ||
account:settings:edit | yes | yes | ||
account:integrations | yes | yes | ||
subaccount:create | yes | yes | ||
subaccount:manage | yes | yes |
Billing & ownership
| Permission | Owner | Admin | Editor | Reviewer |
|---|---|---|---|---|
billing:view | yes | |||
billing:manage | yes | |||
account:transfer | yes | |||
account:delete | yes |
Error responses
400 Bad Request
Returned when the request is invalid.
{
"error": "Validation failed",
"details": {
"role": "Role must be \"admin\", \"editor\", or \"reviewer\""
}
}Other 400 messages include:
"Cannot change the owner's role. Use transfer ownership instead.""The account owner cannot be removed. Use transfer ownership first.""Use the leave endpoint to remove yourself from an account""You cannot invite yourself"
401 Unauthorized
No valid session. Sign in first.
{
"error": "Not authenticated"
}403 Forbidden
The authenticated user lacks the required permission.
{
"error": "Insufficient permissions"
}Specific 403 cases:
"Only the account owner can change an admin's role"-- non-owners attempting to modify admin roles"Only the account owner can remove an admin"-- non-owners attempting to remove admins- Seat limit errors return a
codefield:{ "error": "Your Free plan allows 1 additional team member...", "code": "SEAT_LIMIT_REACHED" }
404 Not Found
The member or invite does not exist in this account.
{
"error": "Member not found"
}For invites:
{
"error": "Invite not found or already processed"
}409 Conflict
The request conflicts with existing state.
{
"error": "This person is already a member of this account"
}Or for duplicate invites:
{
"error": "An invite has already been sent to this email"
}Next steps
- Authentication -- how sessions work
- Error handling -- full error reference
- Create a template -- get started building emails