Skip to main content

Documentation Index

Fetch the complete documentation index at: https://koreai-v2-agent-platform-dev.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Configure workspace structure, roles, member access, security policies, encryption keys, and environment variables. The Workspace and Team settings are your control center for access, security, and runtime configuration. From here you manage who can do what, how data is protected, and what values agents use at runtime.
  • Navigation: Settings > Team
  • Required role: Owner or Admin

Workspace Structure

The Agent Platform organizes resources across three levels. You don’t need all three — start with a workspace, add projects as your work grows, and only set up an organization if you need to manage multiple workspaces together.
LevelDescription
WorkspaceYour team’s dedicated environment. Contains all agents, models, connectors, secrets, and members. Each workspace is fully isolated — data in one workspace is never accessible from another.
ProjectA group of related agents and resources for a specific use case, inside a workspace. Projects inherit the workspace’s AI model configuration but can override model tier assignments.
OrganizationOptional. Sits above workspaces for shared billing and governance across multiple teams. A single-workspace setup doesn’t need this.
What the workspace controls:
  • Who has access and what they can do (team membership and roles).
  • Which AI models and providers are available (LLM policies, token budgets, rate limits).
  • Which features are unlocked (based on your plan tier).
What projects add:
  • Project members are drawn from workspace members and carry project-specific roles.
  • Environment variables and secrets can be scoped per project and per environment (development, staging, production).

Roles and Permissions

The platform uses hierarchical role-based access control (RBAC). Each role inherits all permissions from the roles below it.

Workspace Roles

RoleDescriptionKey Permissions
OwnerFull control. One owner per workspace.Transfer ownership, delete workspace, manage billing, all admin operations.
AdminManages team members, models, and workspace settings.Invite/remove members, configure models, manage secrets and connectors, view audit logs.
OperatorManages agent deployments and monitors production.Deploy agents, view analytics, manage environment variables, view sessions.
MemberBuilds and tests agents within assigned projects.Create/edit agents, run tests, manage project-level resources.
ViewerRead-only access to workspace resources.View agents, project configurations, and analytics dashboards.

Project Roles

RoleDescriptionKey Permissions
AdminFull control over the project’s resources and settings.Manage all project resources, configure settings, oversee operations.
DeveloperCreates and modifies agents, tools, workflows, and project assets.Build and update agents, tools, workflows, and assets.
TesterReads project resources, runs simulations and evaluations.Access project resources, execute tests, validate agent behavior.
ViewerRead-only access to the project.View project resources and configurations.
How workspace and project roles interact:
  • Workspace Owners and Admins have workspace-wide authority and can administer all projects without explicit project membership.
  • Non-admin workspace members need explicit project membership for project-scoped access.
  • When a workspace member creates a project, they automatically become that project’s Admin and can add other workspace members from Settings > Members.

Managing Members

Only workspace Owners and Admins can manage team membership.

View Current Members

Go to Settings > Team > Members. The list shows name and email, workspace role, status (active, suspended, locked, or deactivated), and date joined.

Invite a Member

  1. Click Invite member.
  2. Enter the invitee’s email address.
  3. Select a role: Admin, Operator, Member, or Viewer.
  4. Click Send invite.
The invitee receives an email with a unique link that includes the workspace name and their assigned role. Invitations expire after 7 days and are cleaned up automatically. Manage pending invitations from the Pending Invitations section on the Members page:
ActionWhat it does
ResendSends a fresh invitation email with a new token, resetting the 7-day expiry.
RevokeCancels the invitation so the link can no longer be used.
If a member reports not receiving the invitation email, check the pending list and resend — you don’t need to revoke first.

Change a Member’s Role

  1. Find the member in the Members list.
  2. Click the role dropdown next to their name.
  3. Select the new role and confirm.
Role changes take effect immediately — permissions update on the member’s next page load or API call. Platform-enforced role hierarchy rules:
  • You can’t assign a role higher than your own. An Admin can’t promote a member to Owner.
  • Only the workspace Owner can promote a member to Admin.
  • Only the workspace Owner can transfer ownership.
  • You can’t demote yourself — ask another Owner or Admin to change your role.

Remove a Member

  1. Find the member in the Members list.
  2. Click the three-dot menu next to their row.
  3. Select Remove member and confirm.
What happens when a member is removed:
  • They lose access to all workspace resources immediately.
  • Their project memberships within this workspace are removed.
  • Resources they created (agents, knowledge bases) remain in the workspace.
  • Active sessions they initiated continue running, but they can’t start new ones.
Removing a member doesn’t delete their Agent Platform account. They can still access other workspaces they belong to.

Transfer Workspace Ownership

Only the current workspace Owner can transfer ownership.
  1. Go to Settings > Team > Members.
  2. Click the three-dot menu next to the target member.
  3. Select Transfer ownership and confirm by typing the workspace name.
After the transfer, the previous Owner is demoted to Admin, and the new Owner gains full control, including the ability to delete the workspace.

Custom Roles

Workspace Owners and Admins can define custom roles with granular permissions beyond the built-in set. Custom roles are tenant-scoped and managed from Settings > Team > Custom Roles.

Create a Custom Role

  1. Enter a role name and optional description.
  2. Select the required permissions.
  3. Click Create.
Role assignment:
  • Built-in roles are managed on the Members page.
  • Custom project roles are governed through the Custom Project Roles flow.

Security and Compliance

Go to Team > Security & Compliance to manage authentication and access controls. The page has three tabs: MFA, SSO, and Audit Logs. Required role: Owner or Admin.

Multi-factor Authentication (MFA)

MFA adds a verification step using a time-based one-time password (TOTP). Enable MFA for your account: Go to Team > Security & Compliance, click Enable MFA, complete the authenticator app setup, enter the verification code, and click Verify & Enable. Recovery codes are generated during MFA setup and let you access your account if you lose your authenticator app:
  • Each code can only be used once.
  • Store them securely.
  • Regenerating codes invalidates all previously issued codes.
Enforce MFA for the workspace: From the MFA tab, enable Require MFA for all members and select a grace period. When enforced:
  • New members must configure MFA before accessing the workspace.
  • Existing members must complete MFA setup within the grace period.
  • Members who don’t complete setup are locked out until MFA is configured.

Single Sign-on (SSO)

SSO lets users authenticate using an external identity provider (IdP). Plan requirement: Enterprise plan only. Supported protocols:
  • SAML 2.0 — Supports Okta, Azure AD, and OneLogin.
  • OpenID Connect (OIDC) — Supports Auth0 and Keycloak.
Set up SAML SSO: Go to Team > Security & Compliance > SSO, select SAML 2.0, enter the required configuration details, and click Save Configuration. Set up OIDC SSO: Go to Team > Security & Compliance > SSO, select OpenID Connect, enter the required configuration details, and click Save Configuration. Domain verification: Use the Domain Verification section in the SSO tab to claim and verify your organization’s email domain before enforcing SSO. Force SSO: Enable Force SSO from the SSO tab to require users with verified domain email addresses to authenticate through SSO. When enabled:
  • Password-based login is disabled for verified domain users.
  • Users outside the verified domain are unaffected.
  • Workspace Owners retain password-based login as a fallback.
Google authentication fallback: Enable Allow Google fallback to let users sign in with Google if the configured SSO provider is unavailable.

Audit Logs

Audit logs give you a tenant-scoped, filterable record of all significant workspace actions. Use them to investigate incidents, verify compliance, and review team activity.
  • Navigation: Settings > Team > Audit Logs
  • Required role: Owner or Admin
  • Export: Available on Professional and Enterprise plans
Use Refresh to reload the log. Use Export CSV to download the current filtered view. Use the filter bar to narrow results by search text, date range, action type, preset, or category.

Summary Metrics

MetricDescription
Matching eventsTotal events matching the current filters.
Failed on pageFailed events on the current page.
Actors on pageDistinct actors on the current page.
Active filtersNumber of filters applied.
Last eventTimestamp of the most recent event.

Event Categories

CategoryExamples
Auth & accessLogin, logout, MFA, SSO, API keys.
Workspace governanceMember invites, role changes, ownership transfers.
Project, agent & workflow configAgent creation, updates, deployments, workflow changes.
Tools, modules & credentialsTool bindings, module updates, credential changes.
Data protectionKB updates, uploads, exports, retention events.
KMSKey rotations, DEK creation, provider changes.
Connector configurationChannel connections, SDK changes.
Archives, retention & GitArchiving, retention policy changes, Git events.

Log Table Columns

ColumnDescription
TimestampWhen the action occurred.
CategoryEvent category.
ActionSpecific action, for example agent.dsl_updated.
ActorUser or system ID.
TargetResource affected.
ProjectAssociated project.
SourceOrigin: Studio or runtime-store.
IPRequest IP address.
TraceTrace ID, if available.

Retention

  • Follows the workspace retention policy.
  • Professional and Enterprise plans: at least 90 days.
  • Contact support for extended retention.

Key Management

The Key Management Service (KMS) lets you control the encryption keys used to protect sensitive workspace data. Instead of relying on platform-managed keys, you can provide your own key material from a supported cloud provider.
  • Navigation: Settings > Team > Key Management
  • Required role: Owner
  • Plan requirement: Enterprise plan only

Encryption Architecture

The platform uses envelope encryption:
Key typeDescription
Key Encryption Key (KEK)Master key stored in your cloud provider’s KMS.
Data Encryption Keys (DEKs)Short-lived keys that encrypt data items, wrapped by the KEK. Scoped to specific projects and environments with configurable rotation intervals.
The KMS page is organized into five tabs: Configuration, Scopes, Encryption Keys, Health, and Audit Log.

Configuration

The Configuration tab shows the active KMS setup and lets you manage provider and encryption policies. Supported KMS providers:
  • Local (Built-in) — Platform-managed local KMS.
  • AWS KMS — Symmetric CMK (AES-256).
  • Azure Key Vault — RSA or AES keys.
  • Google Cloud KMS — Symmetric AES-256 keys.
  • External KMS — REST-compatible external providers.
Failure policy:
PolicyBehavior
Fail ClosedEncryption and decryption operations fail when the provider is unavailable.
Fail OpenThe platform continues operating without guardrail evaluation.
Rotation and re-encryption settings:
SettingDescription
DEK Epoch IntervalFrequency of DEK generation.
DEK Max Usage CountMaximum DEK usage before rotation.
Destroy retired DEKsEnables automatic destruction after the retention period.
KEK Rotation PeriodFrequency of KEK rotation.
Enable automatic re-encryptionAutomatically queues re-encryption jobs after rotation.
Re-encryption also includes Concurrency (parallel jobs), Batch Size (records per batch), and Max Retries (retry attempts for failed jobs). Click Save Configuration to apply.

Scopes

The Scopes tab lets you configure KMS overrides for specific environments and projects. Overrides follow this precedence: Platform default > Tenant default > Tenant environment > Project default > Project environment The most specific override always takes precedence. Use the Effective Scope Preview to inspect the resolved provider for a selected project or environment. It shows the full inheritance chain — each level marked as Active or overridden. Use Save Override, Reset Form, or Clear Override to manage scoped overrides.

Encryption Keys

The Encryption Keys tab shows active and retired DEKs across scopes. DEK inventory summary:
MetricDescription
Total DEKsTotal number of DEKs.
Active DEKsDEKs currently in use.
Decrypt-Only DEKsRetired DEKs retained for decryption.
DestroyedPermanently destroyed keys.
Expiring SoonActive DEKs expiring within 72 hours.
Last CheckedTimestamp of the latest DEK creation.
Filter the inventory by status (Active, Decrypt-Only, or Destroyed), project, or environment. Use Rotate Keys to manually trigger DEK rotation for the current scope.
Don’t destroy a key version in your cloud provider until all data has been re-encrypted with the new version. Destroying active key versions may result in permanent data loss.

Health

The Health tab shows operational status and encryption metrics for the configured KMS provider. Click Refresh Health to reload. When provider connectivity fails:
  • Fail Closed — Encryption and decryption operations stop until recovery.
  • Fail Open — The platform continues operating with cached DEKs.

KMS Audit Log

The Audit Log tab in Key Management shows tenant-scoped KMS activity: configuration changes, rotations, validations, and failures. Filter by operation type, result, or date range.
KMS audit log retention follows the workspace data retention policy. Professional and Enterprise plans retain logs for at least 90 days.

Environment Variables

Environment variables are key-value pairs scoped to a project and environment. At runtime, agents resolve {{env.KEY}} placeholders in tool configs and parameters to the matching value.
  • Navigation: Settings > Team > Env Variables
  • Required role: Owner, Admin, or Operator
tools:
  - name: crm-lookup
    config:
      base_url: '{{env.CRM_API_URL}}'
      timeout: '{{env.CRM_TIMEOUT_MS}}'

Variable Types

TypeSyntaxVisibilityScopeUse For
Environment Variable{{env.KEY}}Visible to Operators; can be marked secret.Per project, per environment.Non-sensitive config: URLs, feature flags, timeouts.
Secret{{secret.KEY}}Hidden after creation, always secret.Per workspace or project.API keys, passwords, tokens.
Config Variable{{config.KEY}}Plaintext, resolved at compile time.Per project (not environment-scoped).Project-wide constants.

Environment Tabs

The page shows four tabs: Global, Dev, Staging, and Production. Each tab shows its variable count.
Global variables are available in all environments. An environment-specific variable with the same key takes priority over the global variable.
Toolbar actions: Filter keys, Refresh, Diff, Namespaces, All Variables, Export, Import, Add Variable.

Add a Variable

  1. Go to Settings > Team > Env Variables.
  2. Select the target project from the dropdown.
  3. Select the target environment tab.
  4. Click Add Variable.
  5. Enter a Key (use UPPER_SNAKE_CASE), Value, and optional Description.
  6. Check Mark as secret if the value is sensitive.
  7. Click Create.
Variables created on the Global tab are available in all environments unless overridden by an environment-specific variable with the same key.

Edit and Delete Variables

  • Edit: Click Edit to update a variable’s value or description. Changes apply immediately.
  • Delete: Click the delete icon and confirm.
Deleting a variable referenced in an agent definition causes runtime errors. Check all references before deleting.

Export Variables

  1. Select the environment tab.
  2. Click Export.
  3. Choose format: JSON (array) or .env (file format).
  4. Click Copy to Clipboard or Download.

Import Variables

  1. Select the environment tab.
  2. Click Import.
  3. Paste JSON in this format: 
    [
  {"key": "API_KEY", "value": "sk-xxx", "isSecret": true},
  {"key": "DB_URL", "value": "postgres://..."}
]
  4. Check Overwrite existing variables to replace matching keys.
  5. Click Import.
Variables not in the import file remain unchanged. Replicate variables across projects: Environment variables are project-scoped. To replicate them, use Export/Import with the same JSON file. For values shared across all projects, use workspace-level secrets.