Teams & Organizations

Invitation flow

Text, title, and styling in standard markdown.

Supersaas uses an email-based invitation system to add new users to teams securely.

Invitation Initiation

When a team owner invites a new member

useTeam.ts
await inviteMember(email, role);
  1. Team owner provides the invitee's email and role (defaults to "member").
  2. The request is sent to /api/teams/${currentTeam.value?.id}/members endpoint with a POST method.
  3. Server creates an invite record with a unique token and expiration date.
  4. The invite status is set to "pending".

Email Notification

Supersaas sends an invitation email using the member-invite.vue template.

The invite looks like this, is configurable and can be changed in the /emails/invite.vue file.

Invite email

Verification Process

  1. When the invitee clicks the invitation link:

Request hits /api/teams/verify-invite?token={token} endpoint.

  1. verify-invite.get.ts performs these validations:
  • Validates token format
  • Checks if invite exists and is valid
  • Verifies invite hasn't expired
  • Confirms invite status isn't already "accepted", "rejected", or "cancelled"
  1. If user is already logged in:
  • Verifies the logged-in user's email matches the invite email
  • Checks if user is already a team member
  • Accepts the invite directly if all checks pass
  1. If user is not logged in:
  • Sets cookies: invite-token and invite-email
  • Redirects to registration page

Authentication Flow

Member Invite Flow
  1. For New Users:
    • User is redirected to /auth/register
    • register.vue detects invite data from cookies
    • Pre-fills email field
    • On successful registration:
      • Sets from-invite cookie
      • Automatically accepts the invite
      • Verifies the user's email (skipping verification email)
  2. For Existing Users:
    • User is redirected to /auth/login
    • login.vue detects invite email from cookie
    • Pre-fills email field
    • After login, middleware checks for invite token and processes the invite
  3. Team Dashboard Redirect
    • After successful authentication:
      • auth.ts middleware detects:
        • The from-invite cookie (for new users)
        • The invite-token cookie (for returning users)
      • If from an invite, processes the invite verification
      • Sets the joined team as the last used team
      • Redirects user to the team dashboard: /dashboard/{team-slug}

Security Considerations

  • Invites have an expiration date
  • Only users with the correct email can accept invites
  • Users cannot join teams they're already members of
  • Invites can be cancelled or resent by team owners

User Management

Manage users and their roles in your team.

Stripe

Leanr how payments work in Supersaas