Members & roles
Everyone signs in with a single Hyrax login — sign in with GitHub, with Google, or with a one-time code sent to your email — so there are no separate Hyrax passwords to manage. On the Team plan, your whole team works in one workspace together; each member has a role that sets what they can do by default, and every workspace has exactly one account owner. Membership lives on the Members page, under Workspace in the sidebar.
How teammates join
The simplest way to bring someone in is to invite them. Invite a teammate on the Members page invites someone by email and reserves the role you choose. They get an email to sign in to Hyrax — no GitHub account required — and join the workspace with that role the moment they sign in (the reserved role is claimed by the verified email they sign in with). This means you can invite anyone with an email, including teammates who don't use GitHub. Pending invites appear in a Pending invites list on the Members page, where an admin can revoke one before it's claimed.
Joining an existing workspace is by invitation. Someone who signs in to Hyrax without an invite doesn't land in your workspace — they start a new workspace of their own.
The account owner
Every workspace has exactly one account owner — initially the person who created the workspace. The owner:
- Holds every capability, regardless of role.
- Is the only person who can delete a repository or transfer ownership.
- Appears on the Members page as an Admin with a star — the owner's role can't be changed there.
Ownership can be transferred to another member from Settings → General → Danger Zone. There is always exactly one owner.
Roles
Four roles, strictly nested — each includes everything the one below it can do.
| Role | What it can do by default |
|---|---|
| Admin | Everything a Member can, plus: register and configure repositories, edit workspace settings and guidance, manage the subscription and billing, invite teammates, and change member roles. |
| Member | The day-to-day loop: view repositories and their audit data, findings and suggestions, and job runs; run audits and discovery; start fixes; triage findings (keep or dismiss); cancel their own running jobs; and view workspace usage. |
| Viewer | Sign-in only, with no default capabilities — the most restrictive tier, for accounts that shouldn't see code findings. |
| No access | Revoked. Can't enter the workspace. Used to remove someone while keeping their history. |
A few things roles deliberately don't change:
- Deleting a repository is owner-only — even admins can't.
- Findings, fixes, and job history are shared workspace state: anything a member does is visible to the rest of the team under the same
HYRAX-Nreferences.
The full action-by-action matrix is in the app: open the Members page and select Role permissions.
Changing a role
Admins change roles inline from the Members table — pick the new role and it applies immediately. Setting someone to No access signs them out everywhere right away; you can restore their access later from the same menu. Promoting someone to a higher role asks you to reconfirm with two-factor authentication.
Each member's detail page shows where their current role came from — set by an admin, or claimed from an invitation — along with their job history.
Seats per plan
| Plan | Seats |
|---|---|
| Free | 1 |
| Pro | 1 |
| Team | Unlimited |
Free and Pro workspaces are single-seat: the workspace is just the owner, and the Members page offers an upgrade path instead of invite controls. The seat limit is enforced at sign-in — if someone tries to join a workspace that's at its limit, they're turned away with an explanation, and the owner gets an email about the attempt. The limit only applies to new members joining: existing members always keep their access.
To bring in a team, see plans & pricing for the Team plan.
Good to know
- To revoke someone's access, manage it in Hyrax — not in GitHub. Workspace membership is managed on the Members page; removing someone from your GitHub organization does not revoke their Hyrax access on its own. Set their role to No access to sign them out everywhere on the spot.
- Hyrax staff access is visible to you. The workspace keeps a log of any Hyrax staff support sessions against your workspace, viewable by every member.
- Per-member usage is visible. The Members table shows each member's job count and spend, so you can see who's running what. See Security for how workspace data is isolated.