Foundation

Workspaces
the boundary your team lives in.

A workspace is the home for a team, the apps they build, and the environments they ship to. It's what owns every agent run, every migration, every release — not the individual app.

Team-scopedTenant-isolatedSSO ready

Start free Book a demo

app.algorithmshift.ai/acme-workspace

Workspaces

Acme

Beta Labs

Contoso

Apps in Acme

ops-toolsdev · staging · prod

customer-portaldev · staging

analytics-dashboardsdev

The problem

Most AI tools put everything under one flat account — no room for multiple apps, multiple environments, or multiple people with different access. AlgorithmShift starts from the other end: a workspace is the unit, apps live inside it, and every capability — roles, audit log, integrations — lives at that level so a new app doesn't mean a new onboarding.

[01]

One workspace per team.

Each workspace is owned by one team. Members, roles, integrations, and the audit log live here — not on individual apps. A new app doesn't mean a new invite flow.

Owner / Admin / Developer / Reviewer / Viewer roles by default
Custom roles on Enterprise tier
Members can belong to many workspaces

acme / settings / roles

Role	View	Edit	Approve	Run	Admin
Owner	✓	✓	✓	✓	✓
Admin	✓	✓	✓	✓	✓
Developer	✓	✓	—	✓	—
Reviewer	✓	—	✓	—	—
Viewer	✓	—	—	—	—

[02]

Apps inherit the workspace graph.

Every app inside a workspace shares the same agent catalog, the same environments, the same audit trail. The workspace is the infrastructure; apps are what you build on it.

Shared environments (dev / staging / prod) across apps
Shared integrations — connect Slack once, every app gets it
Shared secrets manager — rotate credentials once

Workspace structure

Workspace: Acme

app: ops-toolsinherits agents · envs · audit log

app: customer-portalinherits agents · envs · audit log

app: analytics-dashboardsinherits agents · envs · audit log

[03]

Tenant-isolated from the first line of SQL.

Your data, your generated code, your sandboxes — all live under a per-tenant namespace. Row-level security policies make cross-tenant reads physically impossible from an application connection. Not a runtime check; a database-level guarantee.

Row-level tenancy in every table
Per-tenant encryption keys (Enterprise)
Dedicated region / account on request

platform-db.algorithmshift.ai › tenants

-- every tenant's data lives under its own namespace

SELECT * FROM project_tasks

WHERE tenant_id = current_tenant();

RLS policy enforced

application connections cannot read across tenants

[04]

SSO + SCIM provisioning.

Enterprise workspaces plug into your identity provider. Join or leave a team in Okta — join or leave the workspace automatically, with the role your IdP says you have.

SAML 2.0 + OIDC
SCIM v2 auto-provisioning + deprovisioning
Group-to-role mapping

Okta / Google / Azure AD

SAML 2.0 assertion · group claim

AlgorithmShift workspace

role := mapping[group]

[05]

Audit trail at the workspace level.

Every action — approvals, agent runs, migration applies, role changes — writes an immutable record scoped to the workspace. Exportable to your SIEM.

Immutable event log
JSON + CSV export
Webhook stream to S3 / GCS / Splunk / Datadog

acme / audit log

10:03alice@acmeapproved requirementreq_bulk_delete
10:04runnerapplied migration20260420_001_add_trash
11:22bob@acmerole changedDeveloper → Admin
14:17runnerexported SQL bundlerelease_v2_4_0

Default roles

+ custom on Enterprise

SSO

SAML 2.0 / OIDC

SCIM on Enterprise

RLS

Row-level tenancy

enforced by Postgres

1 yr

Audit retention

exportable longer

FAQ

Common questions

Can one user belong to many workspaces?

Yes — you can be a member of as many workspaces as you're invited to. Roles are workspace-scoped, so you can be an Admin in one and a Viewer in another without any overlap.

Do apps inherit workspace members automatically?

Yes. Members of a workspace can access every app inside it, at whatever role they hold. If you need app-level access control beyond that, Enterprise supports custom roles scoped per app.

Can I move an app between workspaces?

Today, no — apps are workspace-bound. Export + re-import is supported for the code, but the run history and audit log stay with the origin workspace. Enterprise customers can request a managed migration.

What happens when a member is removed?

Their session is revoked immediately, any pending approvals reassign to the workspace admin, and their identity is preserved on past audit-log rows (so history stays intact without leaving dangling references).

See the full platform in action.

Bring a real requirement. Watch it become a running app you can ship.