> ## Documentation Index
> Fetch the complete documentation index at: https://capy.sc/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Invite Teammates to Capy: Share Encrypted Access

> Share access to encrypted secrets via out-of-band redeem codes. Capy double-wraps the master key so the service never sees the invite token in transit.

Add a teammate to your organization with a single command:

```bash theme={null}
capy invite alice@example.com
```

Capy prompts you for a role (Member, Project Admin, or Admin), generates a one-time redeem code, and offers to copy it to your clipboard.

Your teammate runs:

```bash theme={null}
capy redeem <code>
```

They authenticate, the service verifies their identity, they decrypt the invite blob locally with the token baked into the code, and from that moment they can read and write secrets in the org.

## Why out-of-band delivery matters

The redeem code contains an invite token `T` - one of the two halves that decrypt the master key. The other half is held by the Capy service. **If an attacker intercepts both halves, they get the master key.**

The service only ever sees one half (its outer-wrapped blob). It never sees `T`. So `T` has to reach the invitee through a channel the service doesn't touch:

* **Good:** Signal, a password manager share, a QR code scanned in person, a phone call to dictate.
* **Bad:** email, Slack DM that logs to your org admin, Git commit, a public chat log, screen share on Zoom with recording on.

If the redeem code leaks, revoke the invite before it's used (the token is one-time - once the invitee redeems, the same code can't be reused). If a leaked code has already been used, kick the invited user and rotate.

## Inviting from the TUI

You can also invite from the interactive `capy users` view. Expand a project on a member's row (or any row) and the picker offers `assign new member`. Enter an email and pick a per-project role:

```text theme={null}
  > carol@acme.com                admin          2025-03-10    2 projects
      api-backend          admin
      web-frontend         project-admin
        main               (granted)
        production         (no access)
      [+ assign new member]
```

This is the same flow as `capy invite`, but scoped to the project you expanded - useful when you're already in the TUI managing access.

## What gets exchanged

The invite flow double-wraps the master key:

1. Your CLI wraps `M` with a key derived from `T` and the invitee's email.
2. The service adds an outer wrap over that result.
3. The invitee authenticates, gets the service to strip the outer wrap, and strips the inner wrap locally using `T` + their authenticated email.

If the authenticated email doesn't match the salt the inviter used, decryption fails cryptographically. See [Cryptography → Inviting a new member](/internals/cryptography#inviting-a-new-member) for the full construction.

## What's next

<Columns cols={2}>
  <Card title="Roles" icon="user-shield" href="/using/team/roles" horizontal>
    Member, Project Admin, Admin, Owner.
  </Card>

  <Card title="Kicking users" icon="user-minus" href="/using/team/kicking" horizontal>
    Remove a teammate. O(1), no re-encryption.
  </Card>
</Columns>
