Teams, SCIM, Platform APIs & Audit Logs
A wave of access control and platform upgrades — Teams with team-owned service accounts and role overrides, SCIM v2 provisioning to drive the user lifecycle from your identity provider, the full management REST API for Apps, Environments, Roles, Service Accounts, and Members, and a new org-wide audit log that captures every management action across your organization. Here's the full recap.
Teams
Teams are organization-level groups of members and service accounts that share access to a set of apps. Instead of adding ten engineers to an app one by one, you add them to a Team and grant the Team access — environment keys are automatically provisioned on join and revoked on removal.
Teams add a powerful new way for departments within an organization to operate autonomously without the need for top-down intervention from org admins.
Automatic access grants
When a member or service account joins a Team that already has app access, Phase provisions the required environment keys on their behalf using Server-Side Encryption. No waiting on an admin or need for manual provisioning.
Team-owned service accounts
Service accounts can now belong directly to a Team. They don't appear in the org-wide service accounts list, only Team members can issue tokens against them, and they can only be attached to the Team's apps.
Until now, anyone with the right RBAC permissions on Service Accounts could see and manage every service account in the org. That worked for centrally managed automation, but it broke down for teams that wanted their programmatic and agentic identities to live inside the same access boundary as their human ones — letting teams be more self-governing, even as more workflows shift to AI agents and other long-running automation.
Role overrides
A Team can optionally override the org-level role for its members and service accounts, separately. Role overrides allow team owners to apply separate RBAC policies for team members within the apps and envs that the team manages.
Set up your first Team from Access → Teams in your org settings. Check out the Teams docs for the full walkthrough.
Teams are currently available on the Pro and Enterprise tiers.
Available in Console v2.68.0.
SCIM Provisioning
SCIM v2 closes the loop between your identity provider and Phase. Once configured, your IdP creates, updates, and deprovisions users in Phase automatically — and group assignments in your IdP map directly onto Teams.
Supported at launch:
- Microsoft Entra ID (requires Entra P1/P2 for enterprise app provisioning)
- Okta (via a dedicated SWA application, alongside your existing OIDC SSO app)
What's covered:
- User provisioning — New users are created in your org with a
Pendingstatus and activate on first SSO login - User deprovisioning — Removing a user in your IdP deletes their org membership and revokes their cryptographic keys
- Group → Team sync — IdP groups are mirrored as Phase Teams, with a
SCIMbadge to make their origin clear. Membership stays in sync as group assignments change in your IdP
SCIM works hand-in-hand with OIDC SSO — SCIM handles the lifecycle, SSO handles the actual sign-in.
Check out the SCIM Provisioning docs for the full Entra ID and Okta setup walkthroughs.
SCIM is currently available on the Enterprise tier.
Available in Console v2.68.0.
Management REST APIs
The Phase REST API now covers the full surface area of organization management. You can create, read, update, and delete Apps, Environments, Roles, Service Accounts, and Members programmatically — no GraphQL required.
| Resource | Endpoints |
|---|---|
| Apps | GET/POST /v1/apps/, GET/PUT/DELETE /v1/apps/:id/, PUT /v1/apps/:id/access/ |
| Environments | GET/POST /v1/apps/:id/environments/, GET/PUT/DELETE /v1/environments/:id/ |
| Roles | GET/POST /v1/roles/, GET/PUT/DELETE /v1/roles/:id/ |
| Service Accounts | GET/POST /v1/service-accounts/, GET/PUT/DELETE /v1/service-accounts/:id/, PUT /v1/service-accounts/:id/access/ |
| Members | GET/POST /v1/members/, GET/PUT/DELETE /v1/members/:id/, PUT /v1/members/:id/access/ |
| Invites | GET /v1/invites/, DELETE /v1/invites/:id/ |
Every endpoint accepts a User PAT or Service Account token, enforces the same RBAC checks as the Console, respects your org's IP allowlist, and is rate-limited by plan.
Declarative access management — The /access/ endpoints are declarative: submit the full desired set of app and environment grants, and Phase atomically reconciles them. On SSE-enabled apps, the server decrypts environment keys and re-wraps them for the target member or service account's identity key, so there's no client-side crypto to handle.
Service-account-issued invites — Service accounts can now send organization invites. Invite emails and the acceptance page correctly attribute SA-originated invites, so the recipient sees who (or what) actually invited them.
Check out the Management API docs for the full reference.
Available in Console v2.69.0.
Audit Logs
A new org-wide audit log captures every management action across your Phase organization — apps created and deleted, environments reconfigured, roles updated, member access changed, service account tokens issued, network policies edited, and more. It's distinct from the existing secret event log (which captures per-secret reads and writes) and is built specifically for compliance, incident response, and "who changed what, when" questions.
Each event captures:
- Who — Actor type (member or service account), ID, and a snapshot of the actor's identity at write time, so the trail survives even if the actor is later removed from the org
- What — Event type (create / read / update / delete / access), resource type, resource ID, and a snapshot of the resource metadata
- Diff — Before/after JSON snapshots on updates, so you can see exactly which fields changed
- Context — IP address, user agent, and timestamp
In the Console, the new Audit Logs viewer supports infinite-scroll pagination, date-range filtering, filters by resource type, event type, and actor, expandable rows that show old → new value diffs, and clickable resource links that jump to the affected entity. Service account actors render with their proper SA name and icon — not a generic "user" placeholder.
Audit events fire on both the new REST endpoints and the existing GraphQL mutations, so the trail is complete regardless of how a change was made.
Check out the Audit Logs docs for filter and retention details.
Available in Console v2.69.0.
All features are live on Phase Cloud and available in the latest releases for self-hosted users.
As always, we'd love your feedback — come say hi on Slack or GitHub.
