User Management
Overview
User Management lets Team and Enterprise tenants invite team members, assign permissions, manage API tokens, and create automation keys. Use it to give each person or integration the access they need without sharing owner credentials.
Review access regularly, especially before production releases, staffing changes, SSO rollout, or automation-key rotation.
User Limits
| Plan | Maximum Users |
|---|---|
| Free | 1 (owner only) |
| Team | 20 users |
| Enterprise | 100 users |
These limits include the tenant owner. Contact support if you need an increased user limit.
Managing Users
Add A User
- Open User Management in the sidebar.
- Click Add User.
- Enter the user's email address.
- The user receives an invitation email and can access the tenant after login.
New users start with no elevated permissions. Assign permissions deliberately after confirming their role.
Remove A User
- Find the user in the user list.
- Click Remove next to their name.
- Confirm the removal.
The user immediately loses tenant access.
Lockout prevention: You cannot remove the last user who has user_and_api_management permission. At least one user must always retain the ability to manage other users to prevent account lockout.
Self-removal: Users cannot remove themselves. Another user with user_and_api_management permission must remove them.
User Permissions
Each user can be assigned granular permissions that control what they can do within the tenant:
| Permission | Access Granted |
|---|---|
modify_configuration | Edit security controls, toggle detections/preventions, set response actions, save and promote configurations |
update_certificates | Upload, delete, and manage certificate pinning entries |
build_applications | Upload apps, trigger builds, download protected binaries, view build logs |
manage_custom_messages | Edit custom in-app message templates, toggle message activation |
user_and_api_management | Add/remove users, change permissions, create/delete API tokens |
modify_tenant_settings | Change tenant name, subscription, billing settings, deployment settings, privacy controls |
Permissions are additive. A user with no elevated permissions can view supported areas in read-only mode but cannot make changes.
Suggested Roles
| Role | Typical permissions |
|---|---|
| Tenant owner or platform admin | All permissions, reviewed periodically. |
| Security engineer | modify_configuration, update_certificates, and log access where plan allows. |
| Release engineer | build_applications and automation-key access. |
| Support or compliance reviewer | Read-only access plus logs where appropriate. |
| CI/CD integration token | Only the permissions required by the integration. Use automation keys for build-only workflows. |
Update Permissions
- Select a user in the list.
- Toggle individual permissions on or off.
- Click Save to apply changes.
Permission changes take effect immediately or on the user's next page load.
Breakglass Account
Each tenant has an owner account. The owner has full permissions and cannot be removed. Keep the owner account secure and ensure at least one additional trusted user has management permissions on paid tenants.
Enterprise tenants that enforce SAML SSO must also select a SAML breakglass account from users who have user_and_api_management. See SAML SSO Integration.
API Token Management
API tokens allow programmatic access to the AppTego Management API without sharing user credentials. Create separate tokens for separate systems so each one can be scoped, rotated, and revoked independently.
Create An API Token
- Open User Management -> API Tokens.
- Click Create Token.
- Give the token a clear name, such as
Compliance ExportorInternal Dashboard. - Select only the permissions the integration needs.
- Copy the generated token. The secret is shown only once.
Token Format
Bearer <key_id>:<key_secret>Use API Tokens
Include the token in the Authorization header of Management API requests:
Authorization: Bearer abc123:xyz789See the Management API Overview for full API documentation.
Delete A Token
- Find the token in the list.
- Click Delete.
- Confirm deletion.
The token is immediately invalidated.
Note: Deleting a token cannot be undone. Any systems using that token will immediately lose access.
Token Best Practices
- Create separate tokens for each integration.
- Use the minimum required permissions for each token.
- Rotate tokens periodically.
- Delete unused tokens promptly.
- Never commit tokens to source control.
- Store tokens in environment variables, secret managers, or platform vaults.
Automation Keys (Team+)
For the Automation API (CI/CD integration), separate automation keys are available with a simplified format designed for build pipelines.
Manage Automation Keys
- Open Automation Keys in the sidebar.
- Create a new key, toggle an existing key on or off, or delete a key.
- Store each key only in the CI or release system that needs it.
Using Automation Keys
Automation keys are used with:
- Automation API — direct API calls to protect apps
- GitHub Action —
apptego-mobile-protectaction - CircleCI Orb —
apptego/protectorb
Automation keys are scoped to application-build automation. They cannot modify configurations, manage users, or access billing.
Audit Trail
All user management actions are recorded in the Audit Log (Enterprise):
- User added or removed
- Permissions changed
- API tokens created or deleted
- Automation keys created, toggled, or deleted