Organizations¶

Organizations are the top-level tenant in Manifest Platform. Every resource -- workspaces, services, components, users, billing, and configuration -- belongs to an organization.

Organization Structure¶

graph TD
    Org[Organization] --> Settings[Settings & Branding]
    Org --> Users[Users & Roles]
    Org --> Billing[Billing & Credits]
    Org --> WS1[Workspace A]
    Org --> WS2[Workspace B]
    WS1 --> Env1[Dev Environment]
    WS1 --> Env2[Prod Environment]
    WS1 --> Components1[Components & Services]
    WS2 --> Env3[Dev Environment]
    WS2 --> Components2[Components & Services]

Organization Fields¶

Field	Description
`name`	Display name
`slug`	URL-safe identifier (unique across the platform)
`status`	`active`, `suspended`, or `archived`
`primary_domain`	Primary domain for SSO and branding
`industry`	Industry classification
`contact_email`	Primary contact
`billing_email`	Billing notifications
`support_tier`	`community`, `standard`, `premium`, or `enterprise`

Workspaces¶

Workspaces partition an organization's resources into logical groups. Common patterns include one workspace per product, per team, or per client engagement.

Creating a Workspace¶

Navigate to your organization in the console and click Create Workspace. Provide a name and optional description.

Workspace Isolation¶

Each workspace has independent:

Components -- agents, workflows, code blocks, hosted services
Connector instances -- database connections, API integrations
Deployments -- deployment rings and promotion history
LLM proxy settings -- workspace-specific model routing (when permitted by the org)

Resources in one workspace are not visible to users in another workspace unless the user has cross-workspace roles.

Environments¶

Environments are deployment targets within a workspace. They represent stages in your release pipeline.

Environment Tiers¶

Tier	Purpose
`dev`	Development and testing
`stage`	Pre-production validation
`prod`	Production traffic

Creating an Environment¶

Inside a workspace, navigate to Environments and click Create Environment. Provide a name, slug, tier (dev, stage, or prod), and deployment host.

Environment Configuration¶

Each environment can have its own:

Deployment host -- where code runs (localhost, cloudrun, aws)
Cloud credentials -- provider-specific deployment credentials (encrypted at rest)
Execution backend -- compute backend configuration

Cloud credentials per environment

You can configure different cloud projects for each environment. For example, use a development GCP project for dev and a production project for prod. This keeps test workloads isolated from production infrastructure.

Multi-Tenancy Model¶

Manifest Platform implements strict multi-tenancy at the database level:

Every database record carries an org_id column
All queries are scoped to the authenticated organization
Workspace resources are further scoped by workspace_id
Cross-tenant access is impossible by design

Tenant Hierarchy¶

Organization (org_id)
  └── Workspace (workspace_id)
       └── Environment (environment_id)
            └── Deployed Components

API paths reflect this hierarchy:

/api/v1/orgs/{org_id}/workspaces/{workspace_id}/hosted-services
/api/v1/orgs/{org_id}/workspaces/{workspace_id}/components/{type}
/api/v1/orgs/{org_id}/workspaces/{workspace_id}/deployments/rings

Managing Organization Settings¶

General Settings¶

Update organization details under Admin > Settings > General. You can change the organization name, industry, contact email, and billing email.

Branding¶

Customize the platform appearance for your organization under Admin > Settings > Branding. You can configure primary, secondary, and accent colors, as well as font family.

Security Settings¶

Setting	Description	Default
`require_mfa`	Require MFA for all users in the org	`false`
`allow_user_key_override`	Let users bring their own LLM provider API keys	`false`

Configure security settings under Admin > Settings > Security.

Banner Messages¶

Display organization-wide announcements under Admin > Settings > General. Configure the banner message, variant (info, warning, error), and whether it is dismissible.

API Keys¶

Organizations can create API keys for programmatic access. API keys are exchanged for short-lived JWT tokens.

Creating an API Key¶

Navigate to Admin > Settings > API Keys and click Create. Provide a name, description, and select the scopes the key should have access to.

The key value (prefixed with fl_) is shown only once after creation. Store it securely.

Authenticating with an API Key¶

Exchange the API key for a JWT:

PythonCLIcurl

Coming Soon

The Python SDK for local development is not yet publicly available.

from flow_sdk.cli_client import CLIClient

token = CLIClient.exchange_api_key(
    platform_url="https://api.flow.marut.cloud",
    api_key="fl_abc123...",
    ttl_minutes=60,
)

Coming Soon

The flow-sdk CLI is not yet publicly available.

flow-sdk login --api-key fl_abc123... --url https://api.flow.marut.cloud

curl -X POST \
  "https://api.flow.marut.cloud/api/v1/auth/token" \
  -H "Content-Type: application/json" \
  -d '{"api_key": "fl_abc123...", "ttl_minutes": 60}'

Subscriptions¶

Organizations have subscriptions that control access to platform features:

Field	Description
`product_name`	Name of the subscribed product
`status`	`active`, `trial`, `suspended`, `cancelled`, `expired`
`billing_cycle`	`monthly`, `annual`, or `custom`
`auto_renew`	Whether the subscription renews automatically
`trial_end_date`	End of trial period (if applicable)

Subscription management is handled through the admin interface or billing API. See Billing for credit-based usage tracking.

Gateway Trace Configuration¶

Control how much request tracing is captured for the organization:

Setting	Description	Default
`trace_mode`	`all`, `errors_only`, `sampled`, or `none`	`none`
`trace_sample_rate`	Sampling rate when mode is `sampled` (0.00 - 1.00)	`1.00`
`trace_retention_days`	How long trace data is retained	`30`

Configure tracing under Admin > AI Gateway or Admin > Settings.