Invitations
Overview
ASD uses an email-based invitation system to add members to organisations. Invitations include a pre-assigned role so new members get the right permissions from the moment they join.
Sending an Invitation
Organisation owners and admins can invite new members:
- Go to Account > Organisation > Members
- Click Invite Member
- Enter the recipient’s email address
- Select a role (Admin, Finance, or Member)
- Click Send Invitation
The recipient receives an email with a link to accept the invitation. If they do not have an ASD account yet, they are prompted to sign up first.
Invitation Lifecycle
Each invitation goes through a defined set of states:
Pending → Accepted
↘ Expired
↘ Revoked| State | Description |
|---|---|
| Pending | Invitation created, waiting for recipient to accept |
| Accepted | Recipient joined the organisation |
| Expired | 7 days passed without acceptance |
| Revoked | Manually cancelled by an owner or admin |
Expiration
Invitations expire after 7 days. After expiration, the invitation link no longer works. You can resend the invitation to generate a new link.
Resending
If an invitation is pending or expired, it can be resent from the members page. Resending generates a new invitation token and resets the 7-day expiration timer.
Revoking
Owners and admins can revoke a pending invitation at any time. Revoked invitations cannot be accepted or resent —a new invitation must be created instead.
Accept Flow
When an invitee clicks the invitation link:
- Existing user —they are added to the organisation with the pre-assigned role and redirected to the dashboard
- New user —they are redirected to the signup page. After completing onboarding, the invitation is automatically applied
The accept flow runs the accept_organisation_invite RPC function, which:
- Validates the invitation token
- Checks the invitation has not expired or been revoked
- Creates an
organisation_membersrecord with the assigned role - Marks the invitation as accepted
Role Assignment
The role selected during invitation determines the new member’s permissions immediately upon acceptance. See RBAC for what each role can do.
| Invitable Role | Who Can Assign |
|---|---|
| Admin | Owner only |
| Finance | Owner and Admin |
| Member | Owner and Admin |
The owner role cannot be assigned via invitation —ownership can only be transferred from the current owner.
Security
- Invitation tokens are single-use and cryptographically random
- Tokens expire after 7 days
- Each invitation is tied to a specific email address —the token only works for that email
- Accepted invitations cannot be reused
- All invitation actions (send, accept, revoke) are logged for audit purposes
Email Delivery
Invitation emails are sent via Supabase Auth’s built-in email system using custom-branded templates. The email includes:
- The organisation name and the role being assigned
- A magic link to accept the invitation
- An expiration notice
Related Guides
- Organisations — how organisations and membership work
- RBAC — role permissions and access control
- Onboarding — new user signup flow