Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.capy.sc/llms.txt

Use this file to discover all available pages before exploring further.

Add a teammate to your organization with a single command: 
capy invite alice@example.com
Capy prompts you for a role (Member, Project Admin, or Admin), generates a one-time redeem code, and offers to copy it to your clipboard. Your teammate runs: 
capy redeem <code>
They authenticate, the service verifies their identity, they decrypt the invite blob locally with the token baked into the code, and from that moment they can read and write secrets in the org.

Why out-of-band delivery matters

The redeem code contains an invite token T - one of the two halves that decrypt the master key. The other half is held by the Capy service. If an attacker intercepts both halves, they get the master key. The service only ever sees one half (its outer-wrapped blob). It never sees T. So T has to reach the invitee through a channel the service doesn’t touch:
  • Good: Signal, a password manager share, a QR code scanned in person, a phone call to dictate.
  • Bad: email, Slack DM that logs to your org admin, Git commit, a public chat log, screen share on Zoom with recording on.
If the redeem code leaks, revoke the invite before it’s used (the token is one-time - once the invitee redeems, the same code can’t be reused). If a leaked code has already been used, kick the invited user and rotate.

Inviting from the TUI

You can also invite from the interactive capy users view. Expand a project on a member’s row (or any row) and the picker offers assign new member. Enter an email and pick a per-project role: 
  > carol@acme.com                admin          2025-03-10    2 projects
      api-backend          admin
      web-frontend         project-admin
        main               (granted)
        production         (no access)
      [+ assign new member]
This is the same flow as capy invite, but scoped to the project you expanded - useful when you’re already in the TUI managing access.

What gets exchanged

The invite flow double-wraps the master key:
  1. Your CLI wraps M with a key derived from T and the invitee’s email.
  2. The service adds an outer wrap over that result.
  3. The invitee authenticates, gets the service to strip the outer wrap, and strips the inner wrap locally using T + their authenticated email.
If the authenticated email doesn’t match the salt the inviter used, decryption fails cryptographically. See Cryptography → Inviting a new member for the full construction.

What’s next

Roles

Member, Project Admin, Admin, Owner.

Kicking users

Remove a teammate. O(1), no re-encryption.