---
title: Roles and Permissions
description: Who can do what in your Churnkey workspace.
---
Every member of a workspace is assigned a **role**. The role decides which areas of the dashboard the person can open, which actions they can take, and whether they can manage other team members. Roles live on the [Team page](https://app.churnkey.co/team) and are scoped per workspace, so the same email can be an Owner in one workspace and a Viewer in another.
This page is the reference for the five roles available today, what each one can do, and how to manage them.
## The five roles
- **Owner**
The highest level of access. Owners can manage the entire workspace, including billing, team membership, payment provider connections, and account-wide security settings such as 2FA enforcement. There is one Owner per workspace and the role is set when the workspace is created.
- **Admin**
Same broad access as the Owner across day-to-day operations. Admins can edit Cancel Flows, Payment Recovery, and Reactivation campaigns, manage billing, invite and manage team members, and connect or disconnect payment providers. Admins cannot enforce account-level 2FA.
- **Developer**
Built for engineers integrating Churnkey. Developers can edit Cancel Flows, Payment Recovery, and Reactivation campaigns, manage API keys, and configure custom domains. They do not have access to billing or team management.
- **Member**
Day-to-day operator role. Members can edit Cancel Flows, Payment Recovery, and Reactivation campaigns. They cannot access billing, team management, API keys, or payment provider settings.
- **Viewer**
Read-only access. Viewers can browse Cancel Flows, Payment Recovery, Reactivations, and the analytics pages, but cannot create or edit anything.
## Permissions reference
The matrix below summarizes what each role can do across the dashboard. **Edit** means the role can both view and change the area. **View** means read-only access. A dash means the role does not have access.
| Capability | Owner | Admin | Developer | Member | Viewer |
| ----------------------------------------------------------------- | ----- | ----- | --------- | ------ | ------ |
| Cancel Flows | Edit | Edit | Edit | Edit | View |
| Payment Recovery | Edit | Edit | Edit | Edit | View |
| Reactivations | Edit | Edit | Edit | Edit | View |
| Billing and invoices | Edit | Edit | View | View | View |
| Team management | Edit | Edit | View | View | View |
| Payment provider | Edit | Edit | View | View | View |
| API keys | Edit | Edit | Edit | - | - |
| Custom domains | Edit | Edit | Edit | View | View |
| Data export ([CSV from analytics](/cancel-flows/analytics/session-outcomes#exporting-data)) | Yes | Yes | - | - | - |
| Account-level 2FA enforcement | Yes | - | - | - | - |
## Capabilities by feature area
### Cancel Flows
Owner, Admin, Developer, and Member can create new flows, edit existing ones, configure segments, and publish changes. Viewer can browse the flow builder and analytics in read-only mode. See [Cancel Flow configuration](/cancel-flows/quick-start-guide) for what these areas cover.
### Payment Recovery
Owner, Admin, Developer, and Member can edit Payment Recovery campaigns, exclusions, and advanced settings. Viewer can browse campaigns and analytics in read-only mode. See [Payment Recovery getting started](/failed-payment-recovery/payment-recovery).
### Reactivations
Owner, Admin, Developer, and Member can edit Reactivation campaigns and exclusions. Viewer is read-only. See [Reactivations](/reactivations/reactivations).
### Billing and invoices
Owner and Admin can view invoices, update the payment method on file, and cancel the Churnkey subscription. Developer, Member, and Viewer can see the billing page but cannot make changes.
### Team management
Owner and Admin can invite new members, change roles, and remove members from the workspace. Developer, Member, and Viewer can see the Team page but cannot edit anyone.
### Payment provider
Owner and Admin can connect or disconnect billing providers (Stripe, Chargebee, Braintree, Paddle, Maxio). Developer, Member, and Viewer can see the configured provider but cannot change the connection.
### API keys
Owner, Admin, and Developer can create and revoke API keys for the workspace. Member and Viewer cannot access API keys at all.
### Custom domains
Owner, Admin, and Developer can configure custom domains for hosted Churnkey pages and custom sender domains for emails. Member and Viewer can view the configured domains.
### Data export
Pulling a CSV from the [Activity Stream](/cancel-flows/analytics/session-outcomes#exporting-data) and from Payment Recovery analytics is restricted to Owner and Admin only. The same restriction is enforced on the API, so it cannot be bypassed by URL.
### Account-level 2FA enforcement
Only the Owner can require all members of the workspace to use 2FA when logging in. Admins can manage their own 2FA settings, but cannot enforce 2FA on other members.
## Managing roles
The [Team page](https://app.churnkey.co/team) is where Owners and Admins manage who has access to the workspace. The page is titled **Team Members** with the subtitle **Manage who has access to Churnkey**.
The page shows a table of every current member with the following columns:
- **Name**
- **Email**
- **Role**
- **Developer Notifications** (whether the member receives developer-targeted alerts)
- **Actions** (edit role, remove member)
To change a member's role, click the actions menu next to their row and choose **Edit Role**. A dialog opens with a role picker and a live preview of the permissions matrix that updates as you select different roles. You can only assign roles that are equal to or lower than your own role, so an Admin cannot promote someone to Owner.
::callout
Roles are assigned **per workspace**. Changing someone's role in Workspace A has no effect on their role in Workspace B. See [Multi-Workspace Support](/account/multi-workspace-support#managing-roles) for how this plays out across workspaces.
::
## Inviting members
From the Team page, click **Invite via Email** to open the invite dialog. Fill in:
- **First name**
- **Last name**
- **Email address**
- **New User Role** (dropdown defaults to **Member**)
The role dropdown lists every role that is equal to or lower than your own. Owner is not available from this dialog because there is one Owner per workspace and the role is set during workspace creation; ownership transfer is handled separately. After clicking **Send Invite**, the invitee receives an email with a link to accept the invitation. You will see a **Member invitation sent** confirmation in the dashboard.
If the invited email is already part of another Churnkey workspace, accepting the invitation links the new workspace to the existing account automatically. The user does not need to create a separate login. See [Multi-Workspace Support](/account/multi-workspace-support) for the full multi-workspace login flow.
## Common questions
**Can the Owner role be transferred to another member?**
Yes, but the transfer is handled by Churnkey support rather than the dashboard, so reach out via the in-app chat or [support@churnkey.co](mailto:support@churnkey.co).
**Can a workspace have more than one Owner?**
No. There is one Owner per workspace. If you need multiple people with the same broad access, assign them the **Admin** role.
**Why doesn't my Member account have an Export Data button?**
Data export is restricted to the Owner and Admin roles. Ask the workspace Owner or an Admin to either run the export for you or upgrade your role.
**Can the same person have different roles in different workspaces?**
Yes. Roles are scoped to a single workspace, so the same email can be an Owner in one workspace and a Viewer in another. See [Multi-Workspace Support](/account/multi-workspace-support#managing-roles).
**Where do role changes show up?**
A role change takes effect on the user's next page load. They do not need to log out and back in.