> ## Documentation Index
> Fetch the complete documentation index at: https://docs.rails.wayex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Team & roles

> Invite team members and assign roles that govern what each person can see and do in the console.

The console is operated by your own staff. Each person has their own account and a **role** that governs
what they can see and do.

## Team members

Your team is made up of the people at your organisation who use the console. The first administrator is set
up from an invitation link sent by email; opening it lets them set a password and activate the
organisation. From there, administrators invite additional team members, who set their own password the
first time they sign in.

Everyone signs in with their own [email and password](/console/overview#signing-in).

Membership belongs to one tenant account. If the same staff member operates multiple accounts,
access is granted and audited independently in each account.

## Roles

Each member has one role. Roles are hierarchical — a higher role includes everything a lower one can do.

| Role         | Can do                                                                                                                       |
| ------------ | ---------------------------------------------------------------------------------------------------------------------------- |
| **Viewer**   | Read-only. View direct-route resources and enabled Treasury balances, funding, settings, and transactions.                   |
| **Operator** | Viewer access plus customer/route actions and enabled Treasury beneficiary, payout, conversion, and withdrawal actions.      |
| **Admin**    | Operator access plus team, API keys, webhooks, funding instruments, stablecoin destinations, and permitted account settings. |

<Note>
  An admin manages who is on the team, what role each person holds, and your pricing and fees. There
  is no separate approval step — admins perform these actions directly.
</Note>

Money actions and sensitive destination/key changes require a fresh MFA step-up in the console. This
confirms the acting user; it does not replace server-side tenant, role, policy, limit, or balance checks.

The console adapts to your role automatically. Where an action is not available to you, the button is
hidden or disabled and the screen explains why — for example, a viewer sees a "read-only access" notice in
place of create actions.

## Audit

Sensitive actions are recorded for audit. When recording a note on an action, keep it short and never
include secrets or personal information.
