TofuPilotTofuPilot

Access

Last updated on May 21, 2026

A TofuPilot organization is a group of users, teams, and Stations that share Procedures, Runs, and yield. Every user holds one role, and every team scopes what that user can see. On top of that, SSO, SCIM, two-factor auth, and API keys round out the access model so you can wire TofuPilot into the identity system you already use.

Managing members

Invite users by email, change roles, ban access, and impersonate users for troubleshooting.

Access roles

The five roles (Owner, Admin, Developer, Viewer, Operator), what each role can do, and how to choose one.

Teams

Group stations and members into teams to scope visibility for suppliers, departments, or production lines.

Single sign-on

Authenticate members through SAML 2.0 or OIDC with your existing identity provider.

SCIM provisioning

Automatically create, update, and de-provision members from your directory.

Two-factor authentication

Add a second factor to every sign-in with passkeys or authenticator apps.

API keys

Authenticate scripts, stations, and CI runs with scoped, revocable keys.

Setup tokens

One-hour, single-use credentials that pre-authorize the TofuPilot CLI as a Station.

How is this guide?

List users GET

List users in your organization. Set `current=true` to return only the authenticated user.

Managing Members

Learn how to invite users, change roles, ban access, impersonate, and remove members from your TofuPilot organization without losing their data.