Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Nettalco/dokploy/llms.txt

Use this file to discover all available pages before exploring further.

Dokploy supports full team collaboration through a built-in role-based access control (RBAC) system. Every user belongs to one or more organizations and is assigned a role that dictates what they can see and do. Owners and admins can invite new members, revoke access, and fine-tune permissions down to the individual service level — all from within the Dokploy dashboard.

Roles

Dokploy ships with three built-in roles plus a special owner role that is assigned automatically when an organization is created.
RoleDescription
OwnerFull control over the organization. Can manage all resources, settings, and members. The owner role is non-transferable and cannot be assigned via invitation.
AdminCan manage all projects, services, servers, and members (except other admins). Cannot delete the owner or change owner-level settings.
MemberLimited access by default. An admin or owner can grant fine-grained permissions to individual projects, services, git providers, and servers.
The owner account is created automatically during initial setup. There can only be one owner per organization, and the role cannot be transferred or assigned to a new user via an invitation.
Custom roles (Enterprise) can also be defined at the organization level, letting you compose exactly the set of permissions a group of users needs. See the Enterprise overview for details.

Inviting Users

The member invitation flow is a two-step process: first create the invitation record, then optionally dispatch the invitation email. Dokploy creates a time-limited invitation (valid for 48 hours) via organization.inviteMember. On Dokploy Cloud the email is sent automatically. On self-hosted installations, sending the email is a separate step that requires a configured notification provider.
1

Open Organization Settings

In the Dokploy sidebar, click SettingsTeam.
2

Click Invite Member

Press the Invite Member button in the top-right corner of the Members table.
3

Enter the email address

Type the recipient’s email address. Dokploy checks whether the address is already a member or has a pending invitation and shows an error if so.
4

Select a role

Choose admin, member, or any custom role defined for your organization. You cannot invite someone as owner.
5

Create the invitation

Click Send Invitation. Dokploy calls organization.inviteMember to create the invitation record. On Cloud, the invitation email is dispatched automatically. On self-hosted, call user.sendInvitation with the returned invitationId and a configured notificationId to dispatch the email.
// Step 1: Create the invitation (self-hosted or Cloud)
const invite = await trpc.organization.inviteMember.mutate({
  email: "alice@example.com",
  role: "member",
});

// Step 2 (self-hosted only): Send the invitation email via a configured notification provider
await trpc.user.sendInvitation.mutate({
  invitationId: invite.id,
  notificationId: "notif_abc123", // ID of a configured email/Resend notification provider
});
In self-hosted mode you can also create a user directly with credentials (bypassing the email flow) using user.createUserWithCredentials, which requires member.create permission.

Managing Invitations

All pending invitations for the active organization can be listed with organization.allInvitations. Each entry includes the invitee’s email, their assigned role, and the expiration timestamp. To cancel an outstanding invitation before it is accepted, call organization.removeInvitation with the invitationId. This permanently deletes the record and invalidates the invitation link.
// List all pending invitations
const invitations = await trpc.organization.allInvitations.query();

// Cancel a specific invitation
await trpc.organization.removeInvitation.mutate({ invitationId: "abc123" });
A user can also view the invitations addressed to their own account via user.getInvitations, which returns only non-expired, pending invitations together with the originating organization details.

Assigning Permissions

For member-role users, an owner or admin can configure granular permissions using user.assignPermissions. These flags override the defaults set by the built-in member role and control exactly which resources the user can interact with. The following permission flags are available:
FlagEffect
accessedProjectsArray of project IDs the member can see and work in
accessedServicesArray of service IDs the member can access
accessedEnvironmentsArray of environment IDs the member can read
accessedGitProvidersArray of git provider IDs (requires valid license)
accessedServersArray of server IDs (requires valid license)
canCreateProjectsAllow the member to create new projects
canDeleteProjectsAllow the member to delete projects
canCreateServicesAllow the member to create services inside accessible projects
canDeleteServicesAllow the member to delete services
canCreateEnvironmentsAllow the member to create environments
canDeleteEnvironmentsAllow the member to delete environments
canAccessToDockerGrant access to the Docker panel
canAccessToTraefikFilesGrant access to Traefik configuration files
canAccessToAPIGrant access to the API key management section
canAccessToSSHKeysGrant access to SSH key management
canAccessToGitProvidersGrant access to Git provider configuration
await trpc.user.assignPermissions.mutate({
  id: "user_abc",
  accessedProjects: ["proj_1", "proj_2"],
  canCreateServices: true,
  canDeleteServices: false,
  canAccessToDocker: true,
});
Only the organization owner (verified by matching ownerId) can call user.assignPermissions.

Viewing Team Members

Call user.all to retrieve every member of the active organization, ordered by join date. The response includes each member’s role and their linked user record (name, email, avatar).
const members = await trpc.user.all.query();
// Returns: Array<{ role, createdAt, user: { id, email, firstName, lastName } }>
To inspect a single member — for example, to view their current permission flags — use user.one with a userId. Owners and admins can look up any member; regular members can only query themselves unless they hold the member.update permission.

Removing Users

Owners and admins can remove a member from the organization with user.remove. The following rules apply:
  • The owner cannot be removed.
  • An admin cannot remove themselves.
  • An admin cannot remove another admin — only the owner can do that.
await trpc.user.remove.mutate({ userId: "user_xyz" });
Removing a user from an organization does not delete their Dokploy account. If the user belongs to multiple organizations they retain access to those other workspaces. Use user.checkUserOrganizations to check how many organizations a user currently belongs to before removing them.

Root Access

On Dokploy Cloud, user.haveRootAccess checks whether the calling user is the platform-level super-admin (identified via the USER_ADMIN_ID environment variable) or is operating under an impersonation session initiated by that admin. This check is only meaningful on Cloud; it always returns false on self-hosted installations.
const isRoot = await trpc.user.haveRootAccess.query();

API Keys per User

Every Dokploy user can generate personal API keys for programmatic access. Keys are scoped to a specific organization and support optional rate limiting and request capping. Create an API key
const key = await trpc.user.createApiKey.mutate({
  name: "CI Deploy Key",
  metadata: { organizationId: "org_abc" },
  expiresIn: 2592000, // 30 days in seconds
  rateLimitEnabled: true,
  rateLimitMax: 100,
  rateLimitTimeWindow: 60000, // 1 minute
});
// key.key contains the raw secret — store it securely, it won't be shown again
Delete an API key
await trpc.user.deleteApiKey.mutate({ apiKeyId: "key_abc" });
Only the owner of the key (matched by referenceId) can delete it. Use user.generateToken to obtain a short-lived session token for webhook or CI contexts.

Build docs developers (and LLMs) love