Skip to content
Wicket

Members & access

Invite flow

Each agent has a member list. Members hold their own encrypted OAuth tokens and generate their own member keys — the agent owner cannot see either.

To invite a teammate:

  1. Open the agent → MembersInvite
  2. Enter their email address
  3. Wicket generates a signed invite link (7-day TTL, HMAC-SHA256)
  4. Share the link — the recipient must sign in with the exact invited email
  5. After they join, their status is pending — you approve or reject from the Members tab
  6. Once approved, they generate their member key and configure their MCP client

To remove a member:

Delete them from the Members tab. Their member key is immediately invalidated — no key rotation needed.

See Magic link and MFA for the full sign-in flow, including TOTP setup and backup codes.

Key rotation

Member keys do not expire automatically. Rotate manually when:

  • A key may have been exposed
  • A team member leaves the organisation
  • Your security policy requires periodic rotation

Members rotate their own key from the Members tab → Generate new key. This:

  1. Generates a new 32-character base64 key
  2. Re-encrypts all OAuth tokens under the new key
  3. Invalidates the old key immediately

The new key is shown once — the member must copy it before closing.

Trust modes and per-member policies

Every agent is trusted or untrusted. Trusted agents apply one policy set to all members; untrusted agents carry per-member policies and fail closed for members with none. Within any policy, the principal scope (all_members vs specific_members) further narrows who it covers. See Trust model for how to choose.

Tool sessions

Each member’s live MCP conversations appear as tool sessions — inspect what an agent is doing right now, reset a session, or write session-aware circuit-breaker policies.