DocumentationAPI ReferenceKnowledge Base
Learn

Workspaces & teams

A workspace is the top-level isolation boundary. Teams are named sub-groups within it with their own path namespace. Invite members with POST /v1/auth/invitations.

A workspace is the top-level isolation boundary. Every API key belongs to exactly one workspace; cross-workspace reads are not possible. Teams are named sub-groups within a workspace, each with its own /workspace/teams/<slug>/ path namespace.

Your workspace

curl 'https://brain.unisonlabs.ai/v1/auth/workspaces' \
  -H "Authorization: Bearer $UNISON_TOKEN"
unison auth workspaces

Returns a list of workspaces the key belongs to, with role (owner, admin, member, viewer) and metadata.

Inviting a teammate

curl -X POST https://brain.unisonlabs.ai/v1/auth/invitations \
  -H "Authorization: Bearer $UNISON_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "email": "ada@example.com", "role": "member" }'

Roles: admin, member, viewer. When the invitee provisions an account with that email, they join your workspace automatically. List pending invitations:

curl 'https://brain.unisonlabs.ai/v1/auth/invitations' \
  -H "Authorization: Bearer $UNISON_TOKEN"
unison auth invitations

Team namespaces

Teams are implicit — there is no "create team" endpoint. Writing to /workspace/teams/<slug>/ creates the team slug. Any workspace member with brain:write can write to any team path.

// Write to the platform team's namespace
await brain.write({
  path: "/workspace/teams/platform/runbooks/deploy.md",
  bodyMd: "# Deploy runbook\n\n…",
  title: "Deploy runbook",
});

// Recall scoped to platform team
const ctx = await brain.context({
  q: "deploy process",
  pathPrefix: "/workspace/teams/platform/",
});

Team path reads are visible to all workspace members. If you need tighter isolation within a workspace, use separate workspaces — there is currently no sub-team ACL.

Workspace-level shared memory

Documents written to /workspace/ (not under a team slug) are shared across the entire workspace. This is the right layer for canonical knowledge that every agent needs: runbooks, ADRs, org policies.

await brain.write({
  path: "/workspace/decisions/adr-001-queue.md",
  bodyMd: "# ADR-001…",
  title: "ADR-001: Queue selection",
});

Multi-workspace keys

A key belongs to one workspace. For agents that span workspaces, mint a key per workspace. GET /v1/auth/whoami shows which workspace the current key resolves to.

See also: Scopes & visibility · API reference

Scopes & visibility

Where you write is who sees it. /private/ for the caller, /workspace/teams/<slug>/ for a team, /workspace/ for the whole workspace. No permission matrix.

Auth & API keys

Email-OTP provisioning, API key scopes (brain:read, brain:write, brain:admin, brain:act-as), key lifecycle, and per-user actor delegation.

On this page

Your workspaceInviting a teammateTeam namespacesWorkspace-level shared memoryMulti-workspace keys