Teams
Teams planShare a server inventory, an SSH-key vault, secrets configuration, and an AI budget across a group of people. Per-seat billing, role-based access, a full audit trail.
$29/seat/month · billed via Stripe · seat picker on the pricing page · upgrade or switch from Solo in Billing.
What you get
- Shared server inventory — every member sees the same fleet, sorted, filtered, and searchable.
- Team SSH-key vault — point the team at a single Bitwarden vault so credential rotation is one update, not n.
- Team secrets config — same idea, for non-SSH secrets (DB passwords, API keys) used in scripts.
- Role-based access — owner / admin / member, enforced server-side on every endpoint.
- Audit trail — every membership, config, and credential change is logged.
- Per-seat AI budget — each seat gets its own Servonaut AI quota; see Servonaut AI.
- Hosted MCP connections — higher per-seat allowance than the Solo plan. See Pricing for the current numbers.
Roles
| Role | Can do | Cannot do |
|---|---|---|
| Owner | Everything an admin can do, plus: change the billing plan, delete the team, transfer ownership | — |
| Admin | Invite/remove members, change roles, edit team SSH/secrets config, manage shared servers | Modify the subscription or delete the team |
| Member | Use shared servers, SSH with team credentials, see the team's AI budget remaining | Invite anyone, edit team configs, see other members' personal entitlements |
Each Teams subscription entitles its owner to one team they own. The same user can be invited as a member of any number of other teams without consuming additional billing.
Creating a team
- Subscribe to the Teams plan. Pick a seat count on the pricing page — start with 1 if you're unsure, you can add seats later. Stripe handles the checkout.
- Open /account/teams and create the team. Pick a name and a URL slug; the slug is what teammates type into the CLI to switch context.
- Invite teammates by email. They get a one-click join link; their account is created on accept if they don't already have one.
- Configure shared SSH via /account/integrations — the "Team SSH Key Config" card only shows up when you're the owner or admin of a Teams subscription.
- Add shared servers to the team inventory. Each shared server can have its own credential ref (per-server Bitwarden item), independent from the team default.
Invitations & seat limits
Inviting a member counts a seat toward your cap — both at invite time and at accept time. We re-check the cap on acceptance so a member who accepts an old invitation can't push you over the paid seat count. If you're already at the cap, the invite returns a 402 with a link to add seats in Billing.
| State | Counts toward seat cap? |
|---|---|
| Pending invitation (email sent, not yet accepted) | Yes |
| Active member | Yes |
| Removed member (kicked or left) | No |
| Owner | Yes (the owner is always seat 1) |
Shared servers
A shared server is a row in the team's inventory: name, provider
(aws / ovh / hetzner / custom),
instance id, optional username + port, optional credential ref. Once added,
every team member sees it in their CLI and can run servonaut ssh
<instance-id> — provided the team SSH config points at a vault
they can also unlock.
The pointer to a Bitwarden vault is configured once, by an admin. Each member still unlocks their own Bitwarden session locally — your master password never touches our backend or anyone else's machine.
Billing & seat management
- Add seats — /account/billing, "Add seats" button. Proration is handled by Stripe.
- Remove seats — same place. You can't go below the current head count without first removing members.
- Switch monthly ↔ yearly — yearly saves two months. Stripe prorates the in-flight period.
- Cancel — cancellation takes effect at period end. Members lose Teams-only features (shared servers, team SSH config) but keep their personal data and personal credentials.
Audit log
Every team-level state change is recorded: invitations, role changes, seat-cap bumps, SSH and secrets config rotations, member removal, plan switches. Owners can review the trail from the admin area. Each entry keeps actor, action, before/after diff, IP, and timestamp.
Switching team context in the CLI
The Servonaut CLI tracks which team you're acting as. Switch with:
Server inventory, SSH config resolution, and AI quota all respect the active
context. You can verify which team you're acting as at any time with
servonaut whoami.
Data isolation across teams
Every team's server inventory, SSH config, secrets config, AI budget, and audit log is fully isolated. A member of Team A cannot see Team B's data even when they belong to both — every request is checked against the active team context before any data is returned.