Invitations
Prerequisites
Section titled “Prerequisites”- You are an admin or owner on the project.
- SMTP is configured (see SMTP presets) - optional, but without it you must copy the invite URL manually.
Sending an invite
Section titled “Sending an invite”Dashboard → Settings → Memberships → Invite.
Fill in:
- Email - target user’s email.
- Role - viewer / operator / admin / owner.
Submit. With SMTP, the user receives an email with a one-shot URL.
Without SMTP
Section titled “Without SMTP”The dashboard shows the invite URL after submission. Copy and share it (Slack, email, carrier pigeon). Token is still one-shot and expires in 72 hours.
Token properties
Section titled “Token properties”- One-shot: on accept, invalidated.
- Expires: 72 hours.
- Bound to the target email: only that email can accept.
- Stored hashed in Postgres; plaintext is shown to the admin once.
Accepting
Section titled “Accepting”The invite URL points to /invite/{token}:
- If the user has no z4j account, they’re prompted to create one. Email is pre-filled.
- If the user has an account, they sign in, and the role is attached to their existing user.
- Either way, on success, they’re redirected to the project dashboard.
Revoking
Section titled “Revoking”Before acceptance: Settings → Memberships → Pending invites → Revoke.
After acceptance: treat as membership change - demote or remove the member. Their session is invalidated immediately.
Rate limits
Section titled “Rate limits”- Max 20 invites per project per hour.
- Max 5 invites to the same email per 24h.
See rate limits.
Every invite / accept / revoke writes an audit log entry.