Teams admin

How to set up Korva for an engineering team — license activation, member invites, Skills Hub, Private Scrolls, and the audit log. Every admin mutation is recorded immutably for compliance.

Updated: 2026-04-30

This guide walks an admin from “I bought a Teams license” to “every member of my team is sharing skills, private scrolls and a single audit log”.

1. Activate the license

korva license activate <your-key>
korva license status   # confirm tier=teams

The license is a JWS RS256 token. The Vault verifies the signature offline using the public key embedded in the binary. An optional 24 h heartbeat keeps it fresh; if the licensing endpoint is unreachable for 7+ days the install gracefully degrades to Community (no data is deleted).

2. Create the team

korva teams create "Engineering Team A" --owner [email protected]
# → returns team_id

team_id is a ULID — write it down or read it again with korva teams list.

3. Invite members

korva teams invite [email protected] --team <team_id>
# → token is shown ONCE; email is sent automatically if Resend is configured

If you’ve configured Resend (KORVA_EMAIL_API_KEY + KORVA_EMAIL_FROM), the invitee gets an email. Otherwise share the token out-of-band — securely.

By default, invited members get role=member. To grant admin panel access, use --role admin:

korva teams invite [email protected] --team <team_id> --role admin

Who can access the admin panel?

There are two ways to log in at /admin:

Method	Used by
Admin Key (`~/.korva/admin.key`)	The person who installed the vault
Session Token (`~/.korva/session.token`)	Any team member with `role=admin`

This matters most for shared vault deployments — when your team runs a single vault on a server (e.g. vault.yourcompany.com), any engineer you invite with --role admin can access the admin panel using their own session token without ever needing the server’s private key.

4. Members redeem the invite

On the developer’s machine:

korva auth redeem <invite-token>
# → writes ~/.korva/session.token (mode 0600)

Members can now call vault_team_context (Teams-only MCP tool) to get their team’s skills and private scrolls injected into AI sessions.

5. Distribute skills (Skills Hub)

# As a member, after redeeming the invite:
korva skills sync
# → pulls changed skills → writes ~/.claude/<skill>.md

korva skills hook install
# → registers a PreToolUse hook in ~/.claude/settings.json so Claude Code
#   auto-syncs before every session

Admins create / edit / version skills via the Beacon Admin Skills page at http://localhost:7437/admin/skills. Every change creates an immutable history entry (skill_history table) and a sync event the next time members run korva skills sync.

6. Manage private scrolls

open http://localhost:7437/admin/scrolls-private

Private Scrolls are the Teams-tier knowledge-injection layer. Unlike public Lore scrolls (which live in your team-profile Git repo), Private Scrolls live in the Vault DB and never leave your servers. Use them for:

Internal architectural decisions
Specific domain language conventions
Confidential business rules
Anything you don’t want even your own Git history to remember

7. Inspect the audit log

open http://localhost:7437/admin/audit

Every admin mutation — create team, add member, delete skill, deploy private scroll, modify privacy setting — is recorded in audit_logs with actor, action, target, before_hash, after_hash, created_at. Logs are immutable, append-only, and exportable.

Off-boarding

When a member leaves:

korva teams remove-member <team_id> <email>

The member’s session token is invalidated server-side; their next call to /auth/me returns 401. Their knowledge stays in the vault — the observations, decisions and patterns they saved are still there for the next developer who works on those files. This is one of the core reasons Korva exists.

Self-hosting the team’s vault

The procedure for sharing a single Vault across the team is documented in Self-hosting. At a high level:

Run korva-vault behind Traefik on a VPS / your private cloud.
Mount the admin.key as a secret (read-only).
Have team members set KORVA_VAULT_HOST=vault.yourcompany.com so their CLI talks to the shared server.

Compliance posture

All vault data stays in your infrastructure. The licensor never sees observations, skills or scrolls.
License heartbeat transmits only license_id, install_id and a timestamp — nothing about your code.
Audit log entries are content-addressed (before/after SHA256 hashes) so tampering is detectable.

Pricing & limits

Teams ($9/user/mo launch, $19 regular, 3-seat minimum): Skills Hub, Smart Skill Loader, Private Scrolls, Team Management, RBAC, Audit Log, email invites, vault_code_health, vault_pattern_mine, multi-profile workspaces, private cross-team Hive sync, Beacon analytics dashboard, email support with SLA.
Talk to sales for custom contracts requiring SSO/SAML/SCIM, on-premises dedicated deployments, custom retention policies, SOC 2-aligned exports, dedicated Slack channel or 99.9 % uptime SLA — these are negotiated on top of the Teams tier and do not change the plan name.

See Pricing for full feature matrix.

Concepts → Beacon — the admin dashboard
Self-hosting — sharing the vault across the team
Lore — public scrolls vs private scrolls