Workspaces
TL;DR
Workspaces provide logical multi-tenant isolation in CMDOP. Each workspace is a completely separate environment containing its own machines, sessions, users, and API keys. Team members are assigned roles (Owner, Admin, Member, Guest) that control access. API keys are scoped per workspace, so switching workspaces means using a different key. Hostnames are unique within a workspace.
Workspaces provide multi-tenant isolation in CMDOP. Each workspace is a completely separate environment with its own machines, sessions, users, and API keys.
How does workspace isolation work?
What resources are isolated per workspace?
| Resource | Isolation |
|---|---|
| Machines | Hostname unique per workspace |
| Sessions | Only accessible within workspace |
| API Keys | Scoped to workspace |
| Users | Membership per workspace |
| Audit Logs | Separated by workspace |
| Billing | Per workspace |
What is the workspace structure?
# Hierarchical breakdown of a workspace and its resources
Workspace
βββ Settings
β βββ Name
β βββ Slug (URL-safe identifier)
β βββ Billing info
β
βββ Members
β βββ Owners (full control)
β βββ Admins (manage machines, users)
β βββ Members (access sessions)
β βββ Guests (read-only, optional)
β
βββ Machines
β βββ web-1 (hostname)
β βββ web-2
β βββ db-1
β
βββ Sessions
β βββ Active sessions
β βββ Session history
β
βββ API Keys
βββ Personal keys (per user)
βββ Workspace keys (shared)What are the member roles and permissions?
What can an Owner do?
Full control over workspace:
| Permission | Allowed |
|---|---|
| Manage billing | Yes |
| Delete workspace | Yes |
| Manage members | Yes |
| Manage machines | Yes |
| Access sessions | Yes |
| Create API keys | Yes |
What can an Admin do?
Manage resources (no billing):
| Permission | Allowed |
|---|---|
| Manage billing | No |
| Delete workspace | No |
| Manage members | Yes |
| Manage machines | Yes |
| Access sessions | Yes |
| Create API keys | Yes |
What can a Member do?
Day-to-day usage:
| Permission | Allowed |
|---|---|
| Manage billing | No |
| Delete workspace | No |
| Manage members | No |
| Manage machines | No |
| Access sessions | Yes |
| Create API keys | Yes (personal) |
What can a Guest do?
Read-only access:
| Permission | Allowed |
|---|---|
| Access sessions | Observer only |
| View machines | Yes |
| Execute commands | No |
| Create API keys | No |
How do you create a workspace?
Via Dashboard
- Go to Settings -> Workspaces
- Click Create Workspace
- Enter name and slug
- Invite team members
Via CLI
# Create a new workspace with a URL-safe slug
cmdop workspace create "My Workspace" --slug my-workspace
# Set the active workspace for subsequent CLI commands
cmdop workspace use my-workspace
# Show all workspaces you belong to
cmdop workspace listHow do you invite members?
Via Dashboard
- Go to Settings -> Team
- Click Invite Member
- Enter email and select role
- Send invitation
Via API
# Send an invitation email with assigned role to a new team member
await client.workspace.invite(
email="[email protected]",
role="member"
)How does machine registration work?
When an agent connects, it registers to the workspace from its OAuth token:
How is hostname uniqueness enforced?
Hostnames are unique within a workspace:
# Hostnames must be unique per workspace; duplicates are rejected
Workspace: "acme-corp"
βββ web-1 β
(unique)
βββ web-2 β
(unique)
βββ web-1 β (duplicate, rejected)
# Different workspaces can reuse the same hostname
Workspace: "globex"
βββ web-1 β
(unique in this workspace)How do API keys work?
What are personal API keys?
Tied to a user, scoped to workspace:
# Generate a personal API key named "my-laptop" for the current workspace
cmdop auth create-key --name "my-laptop"
# Key format: cmd_<workspace>_<random>
# Example: cmd_acme_a1b2c3d4e5f6...What are workspace API keys?
Shared across team (admin creates):
# Generate a shared workspace-level key (requires admin role)
cmdop auth create-key --workspace --name "ci-cd"How do you use API keys?
# The API key determines which workspace the client can access
client = AsyncCMDOPClient.remote(api_key="cmd_acme_xxx")
# Success: web-1 exists in the acme workspace
session = await client.terminal.get_active_session("web-1")
# Error: globex-server is not in the acme workspace β access denied
session = await client.terminal.get_active_session("globex-server")How do you switch workspaces?
CLI
# List all workspaces your account belongs to
cmdop workspace list
# Change the active workspace for CLI commands
cmdop workspace use my-workspace
# Display the currently active workspace
cmdop workspace currentSDK
# In the SDK, the API key determines the workspace automatically
# To switch workspaces, instantiate a client with a different key
acme_client = AsyncCMDOPClient.remote(api_key="cmd_acme_xxx")
globex_client = AsyncCMDOPClient.remote(api_key="cmd_globex_yyy")What are the best practices for workspaces?
1. One Workspace Per Team/Environment
# Separate workspaces by environment for clear isolation
Company Structure:
βββ acme-production # Prod servers
βββ acme-staging # Staging environment
βββ acme-development # Dev machines
Each team/environment gets isolated workspace.2. Use Role-Based Access
# Assign roles matching each person's responsibility level
Production Workspace:
βββ Owners: [email protected]
βββ Admins: senior-devs
βββ Members: all developers
βββ Guests: auditors (read-only)3. Separate Personal and CI Keys
# Keep personal and automation keys separate for easy revocation
Personal keys: cmd_acme_alice_xxx
CI/CD keys: cmd_acme_cicd_xxx
Revoke personal key if laptop stolen.
CI key stays active.4. Audit Regularly
# Review who has access to the workspace
cmdop workspace members
# List all API keys (check for unused or stale keys)
cmdop auth list-keys
# View audit trail for the last 30 days
cmdop audit list --days 30How does multi-workspace access work?
Users can belong to multiple workspaces:
# A single user account can have different roles in different workspaces
[email protected]
βββ Member of: acme-production
βββ Admin of: acme-staging
βββ Owner of: alice-personal
# Alice can switch between workspaces
# Different permissions in eachWhat are the workspace limits?
| Resource | Limit |
|---|---|
| Machines per workspace | Plan-dependent |
| Members per workspace | Plan-dependent |
| API keys per user | 10 |
| Sessions per machine | 1 active |
How do you delete a workspace?
Only owners can delete:
# Permanently delete a workspace and all its data (owner only)
cmdop workspace delete my-workspace --confirm
# This deletes:
# - All machines
# - All sessions
# - All API keys
# - All audit logs
# - Member associations (not user accounts)Next
- Security β Security model
- Sessions β Session isolation
- API Authentication β API key management
Last updated on