Updated May 8, 2026 The most-seen issues with Team & Projects on Raff and the fix for each. If your issue isn’t here, contact support@rafftechnologies.com with the affected member’s email or API key prefix, the exact error message, and what you’ve already tried.Documentation Index
Fetch the complete documentation index at: https://docs.rafftechnologies.com/llms.txt
Use this file to discover all available pages before exploring further.
Invitations
The invited member says they never received the email
The invited member says they never received the email
First, check the dashboard:
- Members tab → look for the row with the invited email. Its status should be
Pending(gray badge). If the row is missing, the invite wasn’t actually sent — re-send via Invite a member - If the row exists, the email left Raff’s side. The likely problem is delivery
- Spam / junk folder — search for
support@rafftechnologies.comornoreply@rafftechnologies.comin the recipient’s mailbox - Corporate email filter blocking unknown senders — recipient’s IT may need to allowlist
rafftechnologies.com - Typo in the email address — Members row shows what was actually sent. Cancel the invite and re-send with the correct email
- Disposable / role-based addresses (e.g.
info@,noreply@) — some mail servers reject these silently
- Members tab →
Pendingrow’s⋮→ Cancel Invitation — the old email’s link stops working - Click + Invite Member, enter the same email, send again — fresh token, fresh email
The invitation link says `Invitation expired`
The invitation link says `Invitation expired`
Pending invites have a fixed lifetime (typically a few days). If the recipient waited too long, the link is dead.Fix — the reinvite workflow:
- Members tab →
Pendingrow’s⋮→ Cancel Invitation (the old expired link is killed) - Click + Invite Member and send a fresh invite to the same email
The recipient already has a Raff account on this email
The recipient already has a Raff account on this email
No problem — accepting the invitation adds your account to their existing account list. They don’t create a new account, don’t pick a new password; they just see your account in the account-switcher dropdown after sign-in.They may need to sign in first (with their existing Raff credentials) and then click the invitation link, depending on the order of clicks.
Can I cancel a pending invitation?
Can I cancel a pending invitation?
Yes. Members tab →
Pending row’s ⋮ → Cancel Invitation. The link in the email stops working immediately. The row disappears from Members.Cancelling and re-inviting is the right pattern when you need to change the invite scope (Account vs Project) — the Invite dialog locks the scope choice once sent, so a fresh invite is the way to switch.Permission denied
A member can sign in but sees an empty Compute / Networking / Object Storage page
A member can sign in but sees an empty Compute / Networking / Object Storage page
Likely cause: they have an account role (so they can sign in and see account-level settings) but no project role on any project — so resources are invisible to them.The Account vs Project domains are independent on Raff. An
Admin account role doesn’t grant access to project resources; only project roles do. See Roles, scopes, and the Owner for the model.Fix: open the member’s row, expand it, click + Add to Project, pick the project they should access, pick the project role. They see resources on next page load.A member sees `403 — permission denied` on a specific action they expected to have
A member sees `403 — permission denied` on a specific action they expected to have
The member has a role, but the role doesn’t include the specific permission for that action.Diagnose:
- Find the member on the Members tab → expand their row → see their account role and per-project roles
- Open the Roles tab → click the eye icon on whichever role is being checked → look for the missing permission in the role-detail view
- The permission name follows
<domain>.<resource>.<action>(e.g.vm.delete,account.billing.manage)
- Promote them to a role that does include the permission (e.g.
Project Adminfor full project access) - Build a Custom role with the exact permission set you want and assign that
- For account-level permissions: change the account role; for project-level: change the role on that specific project
A member's permissions changed but the change isn't taking effect for them
A member's permissions changed but the change isn't taking effect for them
Role changes apply on the next API request the member makes. If they have a page open, they may continue to see stale state until they navigate or the page refreshes.Fix: ask the member to refresh the dashboard (Cmd-R / Ctrl-R) or sign out and back in. Their browser session state will reflect the new role.If a member is being demoted, they immediately lose access to anything the new role doesn’t include — open requests fail with
403. There’s no grace period.API requests with a key fail with 403 even though the key was working yesterday
API requests with a key fail with 403 even though the key was working yesterday
Three common causes:
- The role assigned to the key was edited — adding or removing a permission on the role propagates to every key using it
- The role assigned to the key was deleted — keys whose role was deleted fail closed
- The key was rotated or deleted — the old value stops authenticating immediately
raff_<first 8 chars> is shown). Confirm:- Is the key still listed? If not, it was deleted
- Has its
Last Usedfield updated recently? If not, it’s not authenticating - What’s the role assignment? Is the role still valid?
Owner and last-admin scenarios
The Owner has left the company / can't access the account anymore
The Owner has left the company / can't access the account anymore
Only one Owner per account, and the Owner can’t be removed via the dashboard.Fix: contact support@rafftechnologies.com with:
- Proof of authorization to make this change (often the Owner’s signed letter to the support team or board minutes for organizational accounts)
- The new Owner’s email (already a member of the account, ideally with
Adminaccount role)
`Cannot remove the last account.members.manage holder`
`Cannot remove the last account.members.manage holder`
The platform refuses to leave the account stranded with no one able to manage members.Fix: grant
account.members.manage to at least one other member first:- Via a System role (
Adminincludes it) - Or via a Custom account role with that permission enabled
I'm the only member-manager and I want to leave the team
I'm the only member-manager and I want to leave the team
Same rule as above — grant the permission to someone else first, then they remove you. If there’s no one else suitable, contact support to coordinate the handoff (e.g. transfer Owner to a new hire, or close the account if shutting down).
Can I have two Owners?
Can I have two Owners?
No — exactly one Owner per account. The closest equivalent is two members with the
Admin account role (Admin has 15 permissions vs Owner’s full 21, and excludes account.projects.delete and a few destructive ops). For most teams, two Admin members provide redundancy without an Owner conflict.API keys after a member leaves
A removed member's API key is still authenticating
A removed member's API key is still authenticating
Expected behavior, not a bug. API keys carry their own role assignment — removing the member who created the key does not invalidate the key.Fix as part of offboarding:
- Open the API Keys page
- Filter / sort by Created By to find keys owned by the departed member
- Rotate keys you want to keep (mints a new value, invalidates the old)
- Delete keys that are no longer needed
I rotated an API key but old systems are still trying the old value
I rotated an API key but old systems are still trying the old value
Rotation invalidates the old value the moment you confirm. If something is still trying it, the old value is hardcoded or cached somewhere.Diagnose:
- Search code repositories for the old prefix (
raff_<first 8>) — most leaks are committed values - Check secret-manager entries — was the rotation propagated to every system that uses the key?
- Check logs for
401 Unauthorizedfrom the old key — those are the systems still using it
I lost the full key value after the create dialog closed
I lost the full key value after the create dialog closed
Raff stores only a hash of the key — the full value is unrecoverable after you close the create dialog.Fix: rotate the key (Regenerate) — issues a new value with the same role/expiration. Copy this one immediately to your secret manager. The old (lost) value is invalidated by the rotation.
Roles and Custom-role pitfalls
I created a Custom role but I can't find it in the dropdown
I created a Custom role but I can't find it in the dropdown
Two scopes for roles — Account and Project. Custom roles only appear in the dropdown that matches their scope:
- Account-scoped Custom role → only in the Account Role dropdown
- Project-scoped Custom role → only in the Project Role dropdown
I edited a System role to add a permission and the change didn't save
I edited a System role to add a permission and the change didn't save
System roles cannot be edited. The toggles render in the role-detail view but submitting changes is blocked.Fix: click the row’s
⋮ → Duplicate to clone the System role into a Custom role. Edit the Custom role freely. Reassign affected members from the System role to the Custom one.A role I deleted shows up in audit logs but says `unknown role`
A role I deleted shows up in audit logs but says `unknown role`
Roles can be deleted while audit-log entries reference them. Audit-log readability is degraded after the role is gone (the entry says the action was authorized by role-id
<UUID> but can’t resolve to a name).Fix: there’s no recovery for deleted Custom roles. Recreate with the same name + same permissions if you need future audit-log entries to match. Old entries will continue showing the old role-id with no name.Projects
I can't see a project I know exists
I can't see a project I know exists
Project visibility is governed by your project roles. The project picker in the top bar only shows projects you have a role on.Fix:
- If you’re the Owner or have an account role with
account.projects.view— open Team & Projects → Projects tab to see every project regardless of project-role grants - If you’re a Project-only member — you only see projects on which you have a project role. Ask an account-role holder to add you to the project you need
I can't delete the Default project
I can't delete the Default project
The Default project cannot be deleted, ever. It’s the always-available fallback project for any resource created without an explicit project. The Delete option is hidden / disabled on its row.See Edit or delete a project for the full rule and workarounds.
I want to move a VM from one project to another
I want to move a VM from one project to another
Not supported today. Resources are scoped to their project at creation, and there’s no “move resource” action.Workarounds:
- Recreate the resource in the target project (snapshot + restore for VMs, copy-bucket for Object Storage)
- For VMs specifically: take a snapshot in the source project, restore the snapshot in the target project, then delete the source VM
Still stuck?
Email support@rafftechnologies.com with:- The affected member’s email or the API key prefix (
raff_<first 8 chars>— never include the full key) - The exact error message and the time it occurred
- What you tried from this page
- Whether this is a security incident (a leaked key, an unrecognized member sign-in, etc.) — these get prioritized
Related
Roles, scopes, and the Owner
The model behind the permission errors above.
Permissions matrix
Which role grants which permission.
Rotate an API key
The most common offboarding action.