Authentication & Access
Trame uses Google OAuth for secure authentication and supports multiple organization workspaces per user. This guide covers sign-in, organization management, and access control.
Authentication System
Google OAuth Integration
- Trame uses secure Google OAuth as the primary authentication provider
- Users must have a Google account to access the platform
- Sessions are encrypted and managed securely by the platform
- No username/password authentication - OAuth only for security
Sign-in Process
- Visit the Trame login page
- Click “Sign in with Google”
- Complete Google OAuth consent if first time
- Choose your organization workspace
- Access the dashboard
Session Management
- Sessions persist across browser sessions
- Automatic session refresh prevents logouts during active use
- Organization selection is remembered between sessions
- Secure session encryption protects user data
Organization Access
Multiple Organizations
- Users can be members of multiple organizations
- Each organization is a separate workspace with isolated data
- Switch organizations using the organization selector in the sidebar
- Organization membership is invitation-based
Organization Roles
- Owner: Full administrative control, can manage all users and settings
- Admin: Can manage connectors, workflows, and invite/remove Members
- Member: Can create and run workflows using available connectors
Role Permissions
| Action | Owner | Admin | Member |
|---|---|---|---|
| Invite users | ✓ | ✓ (Members only) | ✗ |
| Remove users | ✓ | ✓ (Members only) | ✗ |
| Change user roles | ✓ | ✗ | ✗ |
| Manage connectors | ✓ | ✓ | ✗ |
| Create workflows | ✓ | ✓ | ✓ |
| Run workflows | ✓ | ✓ | ✓ |
| View audit logs | ✓ | ✓ | ✗ |
| Modify organization settings | ✓ | ✗ | ✗ |
Role Guardrails
- Organizations must always have at least one Owner
- Only Owners can promote users to Owner or Admin roles
- Admins cannot remove other Admins or Owners
- Members can only access workflows and runs, not administration
Access Control
Organization Isolation
- Each organization has completely separate data
- Users cannot access data from organizations they don’t belong to
- Connectors, workflows, and runs are scoped to organizations
- Audit logs are organization-specific
Invitation System
- New users must be invited by existing Owners or Admins
- Invitations are sent via email with secure tokens
- Invitations expire after 7 days and can be resent
- Pending invitations can be canceled by admins
Route Protection
- Authentication is required for all application routes
- Organization membership is verified before access
- Middleware handles automatic redirects for unauthorized access
- API routes are protected with session validation
Troubleshooting Access Issues
Cannot Sign In
- Verify your Google account is accessible
- Check if your email domain is allowed (during beta periods)
- Clear browser cookies and try again
- Contact an existing organization member to check invitations
Cannot See Organization
- Confirm you’ve been invited to the organization
- Check for pending invitations in your email
- Ask an Owner/Admin to verify your membership
- Try switching organizations using the organization selector
Limited Permissions
- Review your role assignment with an Owner/Admin
- Understand that Members have restricted access to administrative features
- Request role change if additional permissions are needed
- Some features require Admin or Owner privileges
Best Practices for Admins
User Management
- Maintain at least two Owners per organization for redundancy
- Grant Admin role to delivery leads and key stakeholders
- Use Member role for operational users who only run workflows
- Regularly review user access and remove inactive members
Security Considerations
- Monitor audit logs for suspicious access patterns
- Rotate organization access when team members leave
- Use descriptive organization names to avoid confusion
- Document role assignments and responsibilities clearly
Last updated on