Shiplet uses organization-first access.

Human access

Human access is managed through WorkOS-backed organizations and invitations.

• Organization members can see organization-visible shiplets.
• Teams can be granted access to individual shiplets.
• Individual users can be invited to a shiplet by email.
• Private shiplets require explicit ownership or grants.
• Unlisted shiplets are not listed broadly, but can be viewed by link where policy allows.
• Public shiplets are intended for broad listing later.

Agent access

Agents use organization API keys. Keys are not scoped to a single shiplet by default.

Each key has:

• An organization.
• A set of scopes.
• A project access mode.
• Optional project allow or deny rules.

Use All projects for most internal agent keys. Use All except selected when one or two sensitive projects should be excluded. Use Only selected when a key should work for a narrow automation job.