> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ontora.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Workspaces

> How workspaces, members, and scoped data work in Ontora.

Every resource in Ontora — campaigns, transcripts, webhooks, API keys — belongs to a single workspace. Workspaces map 1:1 to Clerk organizations.

## Membership

Users are added to workspaces through Clerk. Roles:

| Role     | Can do                                            |
| -------- | ------------------------------------------------- |
| `admin`  | Manage members, manage API keys, full data access |
| `member` | Full data access within the workspace             |

API keys do not have a role — they have **scopes** (see [Authentication](/concepts/authentication)). Scope checks replace role checks for programmatic access.

## Listing your workspaces

Returns the workspaces the current user belongs to. Requires a Clerk JWT (not an API key).

```bash theme={null}
curl https://api.ontora.com/v1/workspaces \
  -H "Authorization: Bearer $CLERK_JWT"
```

```json theme={null}
[
  {
    "id": "ws_...",
    "name": "Acme Research",
    "role": "admin",
    "created_at": "2026-01-12T10:00:00Z"
  }
]
```

## Workspace isolation

There is **no cross-workspace data access**. Every API request, every webhook delivery, and every MCP tool call is scoped to a single workspace, derived from:

* The Clerk organization on the JWT, or
* The workspace bound to the API key at creation time.

Attempts to read or write data in a different workspace return `403 Forbidden`.
