Skip to content
TrackJet

7-day Pro trial included with every new account — no card, no charge.

Start free with 20 saved shipments. Every new account also gets a 7-day Pro trial — no card required.

Start 7-day Pro trial

Teams, roles & single sign-on (SSO)

Create a workspace, invite members with owner/admin/member roles, read the audit log, and connect your identity provider over OpenID Connect (OIDC).

Teams and roles

A TrackJet team (organization) lets several people share one workspace. Create one from [your team panel](/my/team) — you become its owner. Every member holds exactly one role, and the role lives on the membership, so the same person can be an owner of one team and a member of another.

There are three system roles:

  • Owner — full control: manage the team, change any member's role, configure SSO, and (eventually) billing. There is always at least one owner; the last owner cannot be removed or demoted.
  • Admin — manage members (invite, remove, change roles up to admin) and read the audit log. An admin cannot touch other admins or the owner.
  • Member — use the shared workspace and see the team.

Roles are enforced on the server for every action. The interface only mirrors what your role allows; hiding a button is convenience, never the security boundary.

Inviting members

An owner or admin invites a teammate by email from the team panel. The invitation is a single-use link, valid for seven days; only the SHA‑256 of the token is stored, and the raw link is shown to you once — copy it and send it. Re‑inviting the same address supersedes any outstanding invite. The invitee must accept while signed in as the invited address.

Every change — team created, member invited, role changed, member removed, SSO saved — appends a row to a client‑visible audit log on the team panel. The log is append‑only.

Single sign-on (OIDC)

Owners can connect an identity provider so members sign in with your company account. TrackJet implements OpenID Connect (OIDC) with the Authorization Code flow and PKCE — the standard that Okta, Microsoft Entra ID and Google Workspace all speak.

Configure it under SSO in the team panel. You will register two URLs with your IdP (both shown on the panel for your workspace):

  • a redirect URI of the form https://trackjet.world/sso/<your-workspace>/callback
  • a login start URL https://trackjet.world/sso/<your-workspace>/start

Then fill in the issuer, client ID, the authorize / token / JWKS endpoints, and an optional allowed email domain that restricts who may be provisioned. The client secret is never stored in TrackJet: you set the name of an environment variable, and the secret value lives in the server's .env. When SSO is enabled, members reach it from the login page by entering your workspace or a work email.

On a successful sign-in, the id_token signature is verified against your IdP's JWKS and the issuer, audience, expiry and nonce are checked before a user is provisioned at the connection's default role.

Honest scope

SSO today is OIDC only — SAML is not implemented. The live sign-in round-trip requires your real identity provider, so test it against your IdP after configuring it. Provisioning only ever creates a member or admin; it never grants ownership and never downgrades an existing role. The same security posture that backs the rest of the platform is summarised in the [Trust Center](/trust).