Role
Owner
Full account access. Billing, plan changes, sites, everything. Limit one per account.
- Billing
- Add/remove sites
- Manage team
- All site access
Platform · Team access
Bring the team in.
Without sharing passwords.
Unlimited collaborators on every plan. Granular per-site roles, SSO, scoped SSH keys, and a full audit log of every action, so an agency, an in-house team or a freelancer network can work the same site without stepping on each other.
Unlimited
Collaborators
No per-seat charges, ever
5
Built-in roles
Plus custom on Agency plans
SSO
Google · GitHub · SAML
Single sign-on out of the box
Audit
Every action logged
Exportable to JSON / SIEM
Roles
Five built-in roles. Scoped per site.
A contractor working on one client site shouldn't see the other forty. Roles are assigned per site, not per account.
Role
Admin
Manages sites and team, no billing. Best for technical leads at agencies.
- Add/remove sites
- Manage team
- All site access
- No billing
Role
Developer
Full access to specific sites. SSH, WP-CLI, staging, restores.
- Scoped sites
- SSH + WP-CLI
- Staging + restores
- No team mgmt
Role
Editor
WordPress admin and panel read-only on assigned sites. For content teams.
- wp-admin SSO
- Read-only panel
- No SSH
- No deploys
Role
Viewer
Read-only access to metrics, logs and uptime, no write access at all. For client check-ins.
- Metrics
- Uptime
- Logs read-only
- No edits
Beyond the role list
The pieces that make team access actually work.
Unlimited collaborators
Add as many team members as you need on any plan. We don't charge per seat, your whole agency or in-house team can have access without bill shock.
Per-site role scoping
Roles are assigned per site, not per account. Give a contractor Developer access to one client site without exposing the rest of your portfolio.
SSO with Google & GitHub
Single sign-on via Google Workspace, Microsoft 365, and GitHub. SAML available on Agency plans for Okta, JumpCloud and custom IdPs.
Scoped SSH keys
Each developer adds their own SSH key, scoped to specific sites. Revoke an individual key without rotating shared credentials.
Full audit log
Every action, logins, deploys, restores, role changes, SSH sessions, is logged with actor, IP and timestamp. Exportable to JSON or your SIEM.
WP-admin SSO
Editors and Admins click through to wp-admin without a password. We pass identity via JWT so you can revoke access at the team layer, not WordPress's.
Vs. the usual suspects
Most hosts treat team access as an afterthought.
| Capability | WP Tango | Kinsta | WP Engine | Generic shared |
|---|---|---|---|---|
| Unlimited collaborators on every plan | ||||
| Per-site role scoping | ||||
| Google + GitHub SSO included | ||||
| SAML SSO (Okta etc.) | Agency | Enterprise | Enterprise | |
| Scoped SSH keys per developer | ||||
| Full audit log, exportable | ||||
| WP-admin SSO from panel |
Frequently asked questions
Team access, plainly explained.
Everything agencies and in-house teams ask before bringing the whole team in.
Built for teams
Stop sharing the admin password.
Unlimited collaborators, per-site roles, SSO, audit log, included on every plan.
∞
Collaborators
Per-site
Roles
SSO
Google · GitHub
12 mo
Audit log