Dokploy supports full team collaboration through a built-in role-based access control (RBAC) system. Every user belongs to one or more organizations and is assigned a role that dictates what they can see and do. Owners and admins can invite new members, revoke access, and fine-tune permissions down to the individual service level — all from within the Dokploy dashboard.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Nettalco/dokploy/llms.txt
Use this file to discover all available pages before exploring further.
Roles
Dokploy ships with three built-in roles plus a special owner role that is assigned automatically when an organization is created.| Role | Description |
|---|---|
| Owner | Full control over the organization. Can manage all resources, settings, and members. The owner role is non-transferable and cannot be assigned via invitation. |
| Admin | Can manage all projects, services, servers, and members (except other admins). Cannot delete the owner or change owner-level settings. |
| Member | Limited access by default. An admin or owner can grant fine-grained permissions to individual projects, services, git providers, and servers. |
The owner account is created automatically during initial setup. There can only be one owner per organization, and the role cannot be transferred or assigned to a new user via an invitation.
Inviting Users
The member invitation flow is a two-step process: first create the invitation record, then optionally dispatch the invitation email. Dokploy creates a time-limited invitation (valid for 48 hours) viaorganization.inviteMember. On Dokploy Cloud the email is sent automatically. On self-hosted installations, sending the email is a separate step that requires a configured notification provider.
Enter the email address
Type the recipient’s email address. Dokploy checks whether the address is already a member or has a pending invitation and shows an error if so.
Select a role
Choose admin, member, or any custom role defined for your organization. You cannot invite someone as owner.
Create the invitation
Click Send Invitation. Dokploy calls
organization.inviteMember to create the invitation record. On Cloud, the invitation email is dispatched automatically. On self-hosted, call user.sendInvitation with the returned invitationId and a configured notificationId to dispatch the email.user.createUserWithCredentials, which requires member.create permission.
Managing Invitations
All pending invitations for the active organization can be listed withorganization.allInvitations. Each entry includes the invitee’s email, their assigned role, and the expiration timestamp.
To cancel an outstanding invitation before it is accepted, call organization.removeInvitation with the invitationId. This permanently deletes the record and invalidates the invitation link.
user.getInvitations, which returns only non-expired, pending invitations together with the originating organization details.
Assigning Permissions
For member-role users, an owner or admin can configure granular permissions usinguser.assignPermissions. These flags override the defaults set by the built-in member role and control exactly which resources the user can interact with.
The following permission flags are available:
| Flag | Effect |
|---|---|
accessedProjects | Array of project IDs the member can see and work in |
accessedServices | Array of service IDs the member can access |
accessedEnvironments | Array of environment IDs the member can read |
accessedGitProviders | Array of git provider IDs (requires valid license) |
accessedServers | Array of server IDs (requires valid license) |
canCreateProjects | Allow the member to create new projects |
canDeleteProjects | Allow the member to delete projects |
canCreateServices | Allow the member to create services inside accessible projects |
canDeleteServices | Allow the member to delete services |
canCreateEnvironments | Allow the member to create environments |
canDeleteEnvironments | Allow the member to delete environments |
canAccessToDocker | Grant access to the Docker panel |
canAccessToTraefikFiles | Grant access to Traefik configuration files |
canAccessToAPI | Grant access to the API key management section |
canAccessToSSHKeys | Grant access to SSH key management |
canAccessToGitProviders | Grant access to Git provider configuration |
ownerId) can call user.assignPermissions.
Viewing Team Members
Calluser.all to retrieve every member of the active organization, ordered by join date. The response includes each member’s role and their linked user record (name, email, avatar).
user.one with a userId. Owners and admins can look up any member; regular members can only query themselves unless they hold the member.update permission.
Removing Users
Owners and admins can remove a member from the organization withuser.remove. The following rules apply:
- The owner cannot be removed.
- An admin cannot remove themselves.
- An admin cannot remove another admin — only the owner can do that.
Removing a user from an organization does not delete their Dokploy account. If the user belongs to multiple organizations they retain access to those other workspaces. Use
user.checkUserOrganizations to check how many organizations a user currently belongs to before removing them.Root Access
On Dokploy Cloud,user.haveRootAccess checks whether the calling user is the platform-level super-admin (identified via the USER_ADMIN_ID environment variable) or is operating under an impersonation session initiated by that admin. This check is only meaningful on Cloud; it always returns false on self-hosted installations.
API Keys per User
Every Dokploy user can generate personal API keys for programmatic access. Keys are scoped to a specific organization and support optional rate limiting and request capping. Create an API keyreferenceId) can delete it. Use user.generateToken to obtain a short-lived session token for webhook or CI contexts.