Overview
This document describes how user access is resolved in Voidr, including:- First login behavior
- Workspace membership resolution
- Invite processing
- Domain-based join requests
- Team and role management
- Strict workspace isolation
- Deterministic access resolution
- Explicit approval paths
- Minimal friction for legitimate users
Core Concepts
Workspace An isolated environment for a customer or organization. All applications, executions, monitoring, and team members are scoped to a workspace. Member A user with access to a workspace. Invite An explicit access grant sent to a specific email address via the platform. Join Request (Domain-based access) A user-initiated access request triggered when their email domain matches a workspace’s allowed domains. Requires approval. Profile Setup Mandatory user metadata collection performed once on first login.Access Resolution Flow
Access resolution happens immediately after login.- User authenticates.
- If first login → Profile Setup is required.
- System evaluates workspace state.
- User is routed to:
/dashboard(single workspace access), or/choose-organization(selection or pending state).
1. First Login — Profile Setup
On first login, users must complete profile configuration before any workspace decision is made.Required Fields
- Full Name
- Preferred Language
- Timezone
Read-only
Optional
- Avatar
Profile Setup is shown exactly once and blocks further navigation until completed.
2. Workspace Resolution States
After login (and profile setup when applicable), the system evaluates the user against workspace membership and access rules.2.1 No Workspace Access
State A — Awaiting Invite
Conditions:- User does not belong to any workspace.
- No pending invites exist.
- No allowed-domain match is found.
- User sees an “Awaiting Invite” screen.
- Only logout is available.
- A workspace Admin or Member must send an invite.
State B — Domain Match Available
Conditions:- User does not belong to any workspace.
- No pending invites exist.
- Email domain matches one or more workspace allowed domains.
- System displays matching workspaces.
- User can click Request Access.
- A Join Request is created.
- Status becomes Pending.
- Access is granted only after approval.
Domain matching never grants automatic access. Explicit approval is always required.
2.2 Existing Workspace Access
State C — Single Workspace
Conditions:- User belongs to exactly one workspace.
- No additional invites pending.
- Direct redirect to
/dashboard.
State D — Multiple Workspaces
Conditions:- User belongs to more than one workspace.
/choose-organizationscreen is shown.- User selects which workspace to enter.
State E — Invite Auto-Resolution
If an invite exists for the authenticated email:- Invite is processed automatically at login.
- User is added to the workspace.
- Routing occurs based on resulting workspace count:
- 1 workspace →
/dashboard - Multiple →
/choose-organization
- 1 workspace →
There is no manual “accept invite” step. Authentication with the invited email is sufficient.
3. Workspace Selector
The Workspace Selector allows:- Switching between existing workspaces.
- Viewing domain-matched workspaces.
- Requesting access directly from the UI.
Possible States
| State | Meaning | Action |
|---|---|---|
| Member | User belongs to workspace | Direct access |
| Available | Domain match | Request access |
| Pending | Awaiting approval | No action available |
4. Invites
Invites are fully managed within Voidr.Sending an Invite
Path:- Enter email.
- Send invite.
- User logs in.
- System detects invite.
- User is automatically added to the workspace.
5. Join Requests (Domain-Based Access)
Join Requests are generated when a user clicks Request Access due to domain match.Managing Join Requests
Path:- Approve
- Reject
- User becomes a workspace Member.