Workspaces
Workspaces are the top-level multi-tenant containers in the template. Each workspace has its own members, settings, and data — all isolated from other workspaces via Supabase Row Level Security (RLS).
Creating a Workspace
- Click the workspace switcher in the sidebar header.
- Select Create Workspace.
- Enter a name — the URL slug is generated automatically.
- Click Create.
You become the Owner of any workspace you create.
Switching Workspaces
The SidebarWorkspaceSwitcher component persists your active workspace to a cookie (active_workspace_id). All navigation and data fetches are scoped to the active workspace.
Role Hierarchy
Three roles are supported: Owner, Admin, and Member.
| Permission | Owner | Admin | Member |
|---|
| View workspace | Yes | Yes | Yes |
| View members | Yes | Yes | Yes |
| Update workspace settings | Yes | Yes | No |
| Delete workspace | Yes | No | No |
| Invite members | Yes | Yes | No |
| Remove members | Yes | Admins only* | No |
| Change roles | Yes | Members only** | No |
| Transfer ownership | Yes | No | No |
| Leave workspace | No*** | Yes | Yes |
* Admins can only remove members, not other admins or owners.
** Admins can only promote/demote members, not admin or owner roles.
*** Owners must transfer ownership before they can leave.
Server Actions
All workspace operations live in @/lib/workspaces/actions:
import {
createWorkspace,
getWorkspaces,
getWorkspace,
updateWorkspace,
deleteWorkspace,
getWorkspaceMembers,
updateMemberRole,
removeMember,
leaveWorkspace,
transferOwnership,
} from "@/lib/workspaces/actions";
Permission checks live in @/lib/workspaces/role-utils (pure functions, safe for client-side use) and @/lib/workspaces/roles (server actions that query the database).
Workspace Context
Access the active workspace in any Client Component:
import { useWorkspace } from "@/lib/workspaces/context";
export function MyComponent() {
const { activeWorkspace, workspaces, setActiveWorkspace, isLoading } = useWorkspace();
return <p>Active: {activeWorkspace?.name}</p>;
}
RLS Enforcement
All workspace-scoped tables use RLS policies that call the is_workspace_member(workspace_id) SQL helper. No data is accessible without a valid session and matching membership row.
Never use the admin Supabase client to fetch workspace-scoped user data in a context where cross-workspace leakage would be a problem — the admin client bypasses RLS.
Settings
Owners and admins can navigate to Workspace Settings to update the workspace name. The Danger Zone (delete workspace) is visible only to owners. The Members tab exposes the MembersManagement component for role changes, removal, and ownership transfer.