Team Management

Teams are the organizational unit for billing, access control, and resource sharing on Marqov. All jobs, scripts, capsules, and credentials are scoped to a team.

Automatic team creation

You do not need to create a team manually. The first time you submit a job, a personal team is automatically created and you are assigned as the owner. The team is named after your email address (e.g., “alice@example.com’s Team”).

Roles

Each team member has one of three roles:

Viewing team members

Navigate to the Team settings page or call:

GET /api/team/members

Returns all members with their email, display name, role, and join date. You can optionally pass ?team_id=<uuid> to view a specific team (you must be a member).

Inviting members

Admins and owners can invite new members by email:

POST /api/team/invitations

{
  "team_id": "uuid",
  "email": "colleague@example.com",
  "role": "member"
}

The invitation:

• Sends an email with a secure token link
• Expires after 7 days
• Can be assigned admin or member role (not owner)
• Is rejected if the email is already a team member or has a pending invitation

Invitations are rate-limited to 10 per minute per user.

Managing invitations

View pending invitations:

GET /api/team/invitations

Cancel or manage an invitation:

PATCH /api/team/invitations/{id}
DELETE /api/team/invitations/{id}

Changing member roles

Admins and owners can change a member’s role between admin and member:

PATCH /api/team/members/{userId}

{
  "team_id": "uuid",
  "role": "admin"
}

Restrictions:

• The owner’s role cannot be changed
• Only admins and owners can modify roles

Removing members

Admins and owners can remove members from the team:

DELETE /api/team/members/{userId}

{
  "team_id": "uuid"
}

Restrictions:

• The team owner cannot be removed
• You cannot remove yourself (contact a team admin instead)

Managing secrets (provider credentials)

To run jobs on cloud backends (AWS Braket, Azure Quantum, IBM Quantum, IonQ), your team must configure provider credentials. Secrets are encrypted at rest and never exposed to the frontend.

Supported providers

Adding or updating secrets

Only admins and owners can manage secrets:

POST /api/team/secrets

{
  "team_id": "uuid",
  "provider": "AWS Braket",
  "secrets": {
    "aws_access_key_id": "AKIAIOSFODNN7EXAMPLE",
    "aws_secret_access_key": "wJalrXUtnFEMI/K7MDENG..."
  }
}

Secrets are encrypted server-side using a database function (upsert_team_secret). The API never returns decrypted values — all secret values are masked as •••••• in responses.

Viewing secrets

GET /api/team/secrets

Returns all secrets for your teams with masked values, provider, key name, status, and timestamps. Includes validation status if the credential has been tested.

Deleting secrets

DELETE /api/team/secrets/{id}

Only admins and owners can delete secrets.

Testing credentials

POST /api/team/secrets/test

Tests the provided credentials against the provider’s API to verify they are valid before saving.

Team suspension

A team can be suspended by platform administrators. Suspended teams become read-only:

• Members can still view jobs, scripts, capsules, and results
• All write operations are blocked: submitting jobs, uploading scripts, creating capsules, managing members, managing secrets
• The API returns HTTP 403 with "code": "TEAM_SUSPENDED" and a message to contact support

Suspension is checked on every write endpoint. If your team is suspended, contact Marqov support for assistance.

Usage tracking

Team usage and spending information is available at:

GET /api/team/usage

This returns job counts, compute time, and cost breakdowns for budget monitoring.