Workspaces & Teams
Isolate keys, routing, policies, and observability per project — with team seats and agents that can self-manage inside the boundary.
A workspace is BitRouter's isolation boundary. API keys, policies, and usage data are all scoped to a single workspace. You can own any number of workspaces — one per project, environment, or agent deployment.
Credential model: user-scoped vs. workspace-scoped
Every credential is either user-scoped or workspace-scoped. This is set at issuance and cannot be changed.
| User-scoped | Workspace-scoped | |
|---|---|---|
| Carried by | Console web session (your browser) | CLI sessions, API keys (brk_), device tokens |
| Reach | All your workspaces + account-level ops | Exactly one workspace |
| Create / delete workspaces | Yes | No |
| Manage billing | Yes | Read-only |
| Manage keys, policies, usage within the workspace | Yes | Yes |
| Invoke inference | Playground only | Yes |
The Console web session is the only user-scoped credential. No long-lived root credential spans workspaces — that scope is intentionally unavailable to CLI sessions and brk_ keys.
Signing in to a workspace
bitrouter auth login runs the OAuth device flow. The browser approval page asks you to pick which workspace to grant the CLI access to. The resulting credential is baked to that workspace — all subsequent bitrouter cloud commands target it implicitly, with no --workspace flag required anywhere.
bitrouter auth login
# Open this URL in your browser to pick a workspace:
# https://cloud.bitrouter.ai/oauth/device?user_code=ABCD-EFGHTo see which workspace your current session is bound to:
bitrouter cloud namespace current # offline — reads local credential
bitrouter auth whoami # also prints the bound namespaceTo switch to a different workspace, re-run bitrouter auth login and pick a different workspace in the browser. The old credential is replaced.
bitrouter cloud namespace list # all your workspaces; active one markedns_01jxyz… default (active)
ns_01jabc… production
ns_01jdef… stagingSee the CLI reference for the full bitrouter cloud surface.
Full agent control inside the boundary
Once signed in, a CLI session (or a brk_ API key minted from it) has full autonomy within its workspace:
Keys — create, list, and revoke API keys scoped to this workspace. Any key minted here is also workspace-baked and inherits the same boundary.
bitrouter cloud keys mint --name my-agent \
--scope "inference:invoke keys:read policy:read usage:read"
bitrouter cloud keys list
bitrouter cloud keys revoke <id>Policies — read and write guardrail, rate-limit, and preset policy bindings.
bitrouter cloud policy list
bitrouter cloud policy bind <policy-id> --principal-type api_key --principal-id <key-id>
bitrouter cloud budget create --name daily-cap --window day --limit-micro-usd 5000000Usage — read per-workspace request history and spend.
bitrouter cloud usage
bitrouter cloud requests --limit 50An agent or CI job using a workspace-baked credential has no ability to reach other workspaces, manage billing, or mint a wider credential. The blast radius is bounded to the workspace.
bitrouter cloud keys mint is the recommended way for an agent to provision sub-keys for its own tools. The minted key is workspace-baked to the same workspace as the caller and cannot upscale its scopes beyond the caller's.
Managing workspaces
A default workspace is provisioned automatically on first login. Additional workspaces are created and deleted from the Console — workspace lifecycle is a control-plane operation and requires a user-scoped credential (your web session).
The CLI supports listing only:
bitrouter cloud namespace list # all workspaces you own
bitrouter cloud namespace current # the one this session is bound to (offline)You cannot delete your last workspace. BitRouter requires at least one workspace per account.
Usage reporting
Per-workspace usage is attributed at settlement time and available from both the CLI and the Console:
bitrouter cloud usage # last 30 days
bitrouter cloud usage --from 2026-05-01T00:00:00Z --to 2026-06-01T00:00:00Z
bitrouter cloud requests --limit 25 # paginated request logFor account-wide spend, see the Billing guide. Workspace-level spend caps are on the roadmap.
How is this guide?