Team & roles
Role-based access control, invitations, and audit.
Payment infrastructure needs scoped access, not shared logins. SpicePay's team management gives every operator their own account with exactly the permissions their job requires.
Inviting teammates
Employees → Invite sends an email invitation. The invitee sets their own password and (if your policy requires it) enrolls in two-factor authentication before first access.
Roles
Assign each employee a role. Built-in roles:
| Role | Can |
|---|---|
| Owner | Everything, including billing and deleting the account |
| Admin | Everything except account deletion and ownership transfer |
| Operator | View and act on payments: refunds, dispute evidence, customer support |
| Analyst | Read-only access to transactions and analytics |
| Developer | Connectors, webhooks, API keys — no payout or billing access |
Custom roles compose fine-grained permissions (e.g. "may view transactions and issue refunds up to €500, nothing else") when the built-ins don't fit.
Two-factor authentication
TOTP-based 2FA (any authenticator app) can be enabled per user under Profile → Security, and enforced organization-wide by an admin. When enforced, users without 2FA are locked to the enrollment screen at next login.
Login activity
Profile → Login activity shows every session: time, IP, location, device, and whether 2FA was used. Admins see the same audit across the organization — your first stop when offboarding an employee or investigating something odd.
Good practice
- Give every human their own account. Shared credentials void the audit trail.
- Use Analyst for finance/reporting tools and dashboards.
- Rotate API keys when a developer with key access leaves — see API authentication.