Skip to main content
Updated May 10, 2026 The raff project command group manages projects — the access-control unit that owns every resource. See Team & Projects — Projects for the model.

Subcommand index

SubcommandWhat it does
listList every project in the account
getShow details for one project
createCreate a new project
updateRename or change description
deleteDelete an empty project
member list / get / add / update / removeManage project-scoped members

list

raff project list [--output table|json]
List every project the API key has visibility into. Owner-level keys see all; project-only keys see only their assigned projects.

get

raff project get <project-id> [--output table|json]
Show details for one project — name, description, default region, member count, created-at, the Default badge if applicable.

create

raff project create \
  --name <name> \
  [--description <text>] \
  [--default-region us-east]
Create a new project. Default region is us-east if omitted. Project names must be unique per account. 
raff project create --name "customer-acme" --description "ACME Corp's whitelabel deployment"

update

raff project update <project-id> [--name <new-name>] [--description <text>]
Rename or change the description. The project’s identifier and slug stay stable; automation referencing the project by UUID is unaffected.

delete

raff project delete <project-id>
Delete an empty project. Fails if any resources still belong to it. The Default project cannot be deleted, ever — see Edit or delete a project for the rules.

Member subcommands

raff project member manages project-scoped members. The project is taken from --project-id (global flag), RAFF_PROJECT_ID, or the active profile — same precedence as every other project-scoped command. Account Owners have implicit access via their account-level role and don’t need to be added explicitly. Alias: raff project members.

member list

raff project member list [--status pending|active|suspended] [--output table|json]
List members of the current project. Output columns: ID, EMAIL, STATUS, ROLE.

member get

raff project member get <member-id>

member add

raff project member add --role-id <project-role-uuid> \
  ( --target-user-id <uuid> | --api-key-id <uuid> )
Add an existing account user (or API key) to the current project. Required: --role-id plus one of --target-user-id / --api-key-id (mutually exclusive). For brand-new users, send an account invitation first via raff invitation create-account, or invite directly to a project via raff invitation create-project.

member update

raff project member update <member-id> \
  [--role-id <uuid>] [--status active|suspended]
Update a project member’s role or status. At least one flag must be provided.

member remove

raff project member remove <member-id> [--force]
Remove a member from the current project. Pass --force to skip the confirmation prompt. The member’s account-level access is unaffected.

Permission notes

CommandRequired permission
list, getaccount.projects.view (Owner, Admin, Member all have it)
createaccount.projects.create (Owner, Admin)
updateaccount.projects.manage (Owner, Admin)
deleteaccount.projects.delete (Owner only by default; Admin does NOT include this)
member list, member getproject.members.view (project-scoped)
member add, member update, member removeproject.members.manage (project-scoped — Project Admin)
If you get 403 Forbidden, the key’s role doesn’t include the permission for that action.

VM commands

Use —project-id to scope VM operations.

Roles, scopes, and the Owner

Why delete may 403 even on Admin keys.

Permissions matrix

Which role grants which account.projects.* permission.
Last modified on May 11, 2026