> ## Documentation Index
> Fetch the complete documentation index at: https://capy.sc/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Remove a Teammate: O(1) Revocation in Capy

> Kick a teammate from Capy in O(1) — no key rotation, no re-encryption for remaining members. Their local secrets become cryptographically inert on next sync.

Remove a teammate with a single command:

```bash theme={null}
capy kick alice@example.com
```

The service removes their membership. The next time their CLI tries to co-decrypt anything, the service refuses (they're no longer a member), and their local `key.enc` becomes cryptographically inert - its outer wrap needs the service to strip it, and the service won't.

No key rotation. No re-encrypting every secret. No propagating a new master key to every remaining member. A membership delete, and revocation is complete.

## Kicking from the TUI

`capy users` opens the interactive members list. Press `r` on a member's row to change their role; one of the options is **remove**, which kicks them from the org without the per-CLI command:

```text theme={null}
  Email                          Role           Added         Projects
  ─────────────────────────────────────────────────────────────────────
  alice@acme.com                 owner          2025-01-15    2 projects
> bob@acme.com                   ❯ admin                      1 project
                                   project-admin
                                   member
                                   remove
  ─────────────────────────────────────────────────────────────────────
   ↑↓ pick role  Enter confirm  Esc cancel
```

Picking `remove` and pressing Enter has the same effect as `capy kick bob@acme.com`. Inside an expanded project, the same picker offers a per-project remove (which only revokes their access to that one project; they stay in the org).

## Why it's safe to skip re-encryption

The kicked user's `key.enc` is an outer-wrapped blob. To use it they need to present it to the service and have the service strip the outer wrap. The service checks membership on that call - if they've been kicked, the call returns 403.

Their bytes are still on disk. They're just unusable.

See [Cryptography → Revocation](/internals/cryptography#revocation) for the full construction.

## What kicking does not do

* **It doesn't recall plaintext values they already saw.** If the kicked user read a value and stored it somewhere outside Capy (a text file, a screenshot, a chat log), that copy is outside Capy's control. Rotate anything sensitive through your normal secret-rotation process.
* **It doesn't invalidate cached deploy tokens.** Any deploy tokens minted while they were a member still work. Revoke individual deploy tokens if you have reason to suspect they captured one.
* **It doesn't rotate the master key.** Remaining members keep using the same `M`. That's fine - the departed user can't recover `M` without the service, and the service won't help them.

## When you do need to rotate

If you suspect the kicked user captured the **seed phrase** (not just their `key.enc`), rotate: new seed, new `M`, re-encrypt every secret, re-invite every remaining member. The seed phrase is the one artifact that bypasses the service's co-decrypt gate.

In practice this requires someone with access to the owner's seed phrase. Kicking random members doesn't trigger it.

## What's next

<Columns cols={2}>
  <Card title="capy kick" icon="terminal" href="/cli/kick" horizontal>
    Command flags.
  </Card>

  <Card title="Revocation (cryptography)" icon="shield-halved" href="/internals/cryptography#revocation" horizontal>
    The exact cryptographic enforcement.
  </Card>
</Columns>
