Organizations
What is an organization?
An organization is the top-level tenant in Mipiti. Organizations own workspaces, which in turn hold threat models, systems, and all other data. Every user belongs to exactly one organization.
Organizations provide:
- Tenant isolation — each org's data is stored in a separate encrypted database
- Member management — admins control who belongs to the org and their roles
- Resource boundaries — workspace limits, member limits, and credit quotas are scoped per-org
Members
Inviting members
Admins can invite users to an organization by email:
- Navigate to Settings > Organizations and select your org
- Enter the user's email in the Invite by email field
- Click Invite (or press Enter)
The user must already have a Mipiti account. Inviting adds them to the organization.
Roles
| Role | Threat models | Members | Org settings |
|---|---|---|---|
| Admin | Full access | Invite, remove, change roles | Edit name, description |
| User | Full access | View only | View only |
- Admin is the org-level management role. Admins manage members, org settings, billing, and credit quotas within their organization. This role is only available in organizations with org-level billing (Organization or Enterprise tier).
- User is the default role for all members. Users have full access to threat models within the org's workspaces.
Changing roles
Admins can change a member's role using the dropdown next to their name in the members list.
Removing members
Click Remove next to a member's name. The user's account is not deleted — they are simply removed from the organization.
Editing your organization
Navigate to Settings > Organizations, select your organization, then modify the Name or Description fields and click Save Changes.
Resource limits
Each organization has configurable limits on workspaces and members.
Enforcement
- Workspace limit: When an org reaches its workspace limit, creating a new workspace returns an error. Personal workspaces are excluded from the count.
- Member limit: When an org reaches its member limit, inviting a new member returns an error.
Usage monitoring
The Limits & Usage section shows current usage alongside configured limits with color-coded progress bars:
- Blue — under 70% utilization
- Yellow — 70-89% utilization
- Red — 90%+ utilization
Admins can also query usage programmatically:
GET /api/organizations/{org_id}/usage
Returns:
{
"workspace_count": 5,
"member_count": 12,
"max_workspaces": 10,
"max_members": 0
}
Credit pool
Each organization has a shared credit pool. Members consume credits from the org pool instead of personal balances.
How it works
- Org admin manages the subscription — credits from the org plan go to the shared pool
- Members consume from the pool — every generation, refinement, or control generation deducts from the org balance
Per-member quotas
Org admins can set monthly and daily credit limits per member to control spend:
- Navigate to Settings > Organizations and select your org
- In the Credit Pool section, click Set Quota next to a member
- Enter monthly and/or daily limits (0 = unlimited within the pool)
- Click Save
When a member exceeds their quota, generation is blocked until the period resets. Quotas reset automatically — monthly on the 1st, daily at midnight.
Viewing usage
The Credit Pool section shows:
- Organization balance — total credits remaining in the pool
- Per-member table — each member's monthly/daily usage and limits
Members see their own quota usage in Settings > Account > Billing with progress bars for monthly and daily consumption.
API endpoints
| Method | Path | Description |
|---|---|---|
POST |
/api/organizations/{org_id}/credits |
Grant credits to org pool (admin) |
GET |
/api/organizations/{org_id}/credit-usage |
Per-member usage breakdown (admin) |
GET |
/api/organizations/{org_id}/members/{uid}/quota |
Get member quota |
PUT |
/api/organizations/{org_id}/members/{uid}/quota |
Set monthly/daily quota (admin) |
Integrations (Jira / Confluence)
Jira and Confluence integrations are configured at the organization level. The connection belongs to the org, not to individual users.
How it works
- Org admin configures the integration — selects the target Jira project and Confluence space from Settings > Integrations
- Members connect their own Atlassian accounts — each member who wants to export authenticates via OAuth from Settings > Integrations > Jira
- Members export — any connected member can use "Export to Jira" on their models
The org admin controls where data goes. Atlassian controls who can authenticate. Mipiti does not maintain a separate per-user whitelist — if a member can authenticate with Atlassian and has access to the configured project, they can export.
Authorization
| Action | Who | Where |
|---|---|---|
| Configure integration (project, space) | Org admin | Settings > Integrations |
| Connect Atlassian account | Any org member | Settings > Integrations |
| Export to Jira / sync to Confluence | Any connected member | Model page |
| Restrict exports to admins only | Org admin | Settings > Integrations |
| Disconnect integration | Org admin | Settings > Integrations |
Personal workspaces
Jira and Confluence integration is not available for personal workspaces (users not in an organization). If you need these integrations, join an organization where an admin has configured them.
Security
Org admins have access to security operations in Settings > Organizations > Security.
Database key rotation
Rotates the SQLCipher AES encryption key for the organization's database. This re-encrypts the database file with a new key without any data loss or downtime.
When to use:
- Periodic key rotation per your security policy
- After revoking access from a former team member who may have had infrastructure access
- As part of incident response
Click Rotate Database Key and confirm. The operation completes in seconds.
Jira token refresh
Forces a refresh of all Jira OAuth tokens for every connected member in the organization. Useful when tokens are suspected compromised or after Jira permission changes.
Click Refresh Jira Tokens and confirm. Results show how many connections were refreshed and how many failed (e.g., if a member's Jira access was revoked).
This endpoint is rate-limited to once per 5 minutes per organization to protect against Atlassian API rate limit exhaustion and token invalidation churn.
API endpoints
| Method | Path | Description |
|---|---|---|
POST |
/api/organizations/{org_id}/rotate-db-key |
Rotate org database encryption key (admin) |
POST |
/api/organizations/{org_id}/refresh-jira-tokens |
Force-refresh all Jira tokens (admin) |
Platform encryption (superadmin)
Superadmins have access to additional platform-level encryption operations for rotating per-org Fernet DEKs (Jira, MFA, or all). These are KMS-wrapped key rotations that re-encrypt all affected secrets across the platform.
Organizations vs. workspaces
Organizations and workspaces serve different purposes:
| Organization | Workspace | |
|---|---|---|
| Scope | Tenant boundary (billing, data isolation) | Collaboration boundary (shared models, systems) |
| Members | All users in the org | Subset of org users |
| Data isolation | Encrypted, per-org database | Logical (within the org's database) |
| Hierarchy | Contains workspaces | Belongs to one organization |
A typical setup: one organization per company, with workspaces for different teams or projects within that company.