> ## Documentation Index
> Fetch the complete documentation index at: https://docs.withsutro.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Managing organization members

> How to invite, approve, and manage members in your Sutro organization.

**Members** are users within your organization who can access the Sutro Console. They can review usage, manage [Builders](/docs/getting-started/auth/builders), and configure certificates for verifying Builder requests.

When Sutro is first configured, a **root account** is created for initial setup and administration.

From there, you can add additional members using one of the methods below.

## Authentication flow

Members authenticate using JWTs issued by the **Sutro Auth Server**:

1. Members log in via the **Sutro Auth Server** using their credentials.
   * Currently supports **username/password** authentication.
   * Future releases will include SSO and identity provider integration.

2. Upon successful login, the Auth Server issues a [JSON Web Token (JWT)](/docs/getting-started/auth/jwts).
   * Include this token in the `Authorization` header of all API requests.

## Add members

### 1. Invite by email

Invite members directly via email. The invitation includes a setup link. Once they create their account, they're automatically added to your organization.

<Note>This is the simplest and most controlled onboarding method.</Note>

### 2. Self-signup

Allow users to register without an invitation. By default, self-signed users have no access until they're approved or belong to a pre-registered domain.

## Approve members

### Automatic approval

Users are automatically added to your organization if:

* Their email matches a **pending invitation**, or
* Their domain is already **registered and verified**.

Any matching invitations are automatically marked as accepted.

### Manual approval

If a user signs up without an invitation or verified domain, a **member** with the proper permissions must approve them manually.

<Warning>Only members with authorization can approve new members.</Warning>

## Member domains

You can automatically approve members from trusted domains by registering those domains with the **User Management API (UAPI)**.

1. Register your domain using the UAPI.
2. Add the DNS record provided by the API to verify ownership.
3. Once verified, users with matching email domains are automatically approved.

<Note>DNS verification can take some time depending on propagation speed.</Note>

## Summary

| Method                          | Description                                          | Requires Manual Approval |
| ------------------------------- | ---------------------------------------------------- | ------------------------ |
| Email Invitation                | Invite users via email; link adds them automatically | No                       |
| Self-Signup (Verified Domain)   | User registers with verified domain                  | No                       |
| Self-Signup (Unverified Domain) | User registers manually                              | Yes                      |
| Member Domain Registration      | Automatically approves users from trusted domains    | No                       |
