Invite your team: admins and care partners with the right access

Who can send invitations?

The account owner can always invite. Admins can invite only if they hold the user management permission. That rule is enforced in the database itself, not just in the interface, so it holds everywhere invitations can be created, listed, or revoked.

User management is also treated as a sensitive action, which means it requires multi-factor authentication. The two roles you can invite are admin and care partner. The account owner role is not granted by invitation.

• Account owners can always invite; admins need the user management permission. Both rules are enforced in the database.
• Two roles can be invited: admin and care partner. The account owner role is not granted by invitation.
• Invitations go out by email, and the same accept link is shown to you to copy if the email does not arrive.
• The invitee must sign in with the invited email address, so a forwarded link cannot be claimed by anyone else.
• Links expire after 14 days and work once. Pending invitations can be revoked at any time.
• Owners and admins must use MFA, re-confirmed every 30 days. Care partner MFA is optional unless your church requires it.
• Every created, accepted, and revoked invitation is written to the audit log.

What can each role see and do?

The account owner sees everything in the church and is the only role that can manage billing. Admins see what their permission toggles allow, and the toggles are granular: access to people, care, groups and ministries, forms and reports, and analytics are each separate, as are user management, integrations, Collie (always advisory; it never sends on its own), sensitive submissions, data export, giving signals, and calendar connections. Giving someone forms access does not also hand them pastoral notes.

Care partners are scoped, not broad. They see only the people assigned to them through a direct, household, group, or ministry care assignment, and they can log care for those people. That boundary is enforced in the database, so a care partner browsing the app simply does not receive records outside their assignments. Church-wide settings remain owner and admin surfaces.

How do I send an invitation?

Go to Settings and find the People & access section. Enter the person's email address, pick the role (care partner is the default), and add an optional display name for how they will appear in your church. Then create the invite.

FlockConnect emails the invitation for you and also shows you the same accept link to copy. If email is not configured or the send fails, it says so plainly and you can share the link yourself. FlockConnect stores only a fingerprint of the link's secret, never the link itself, so the database does not contain usable invitation links.

What happens when they accept?

The link opens an invitation page where your invitee signs in, or creates an account, using the email address that received the invite, and then clicks Accept. The email has to match the invitation exactly, so a link that gets forwarded or leaked cannot be claimed by anyone except the person you invited.

On accept, FlockConnect connects their account to your church with the role you chose and creates a person record for them. Each link works once. An invitation that has already been accepted cannot be used again, and accidentally inviting someone who is already on your team will not create a duplicate.

Where does multi-factor authentication fit?

Owners and admins must enroll in MFA, and FlockConnect re-confirms the verification every 30 days. A newly invited admin should expect to set up MFA right after accepting, before working in the app, and an owner or admin whose verification has gone stale is redirected to the MFA step before continuing.

Care partner MFA is optional by default. Your church can require it for care partners too with a single setting, and when that setting is on, care partners pass through the same MFA step.

How do expiry and revocation work?

Every invitation link expires 14 days after it is created. An expired link stops working for anyone who follows it. If a link lapses, just send a fresh invitation.

You can revoke any pending invitation from the list under People & access, and a revoked link stops working from that moment. Revoking is the right move whenever an email went to the wrong address or you change your mind about a role.

What gets recorded?

The invitation list shows each invite's status, pending, accepted, revoked, or expired, along with when it was created and when it expires. Beyond the list, every created, accepted, and revoked invitation writes an audit entry recording who acted, the invited email, the role, and the new status.

Those events also appear in each person's own security history under Settings, alongside their MFA and permission events. So the trail is not just for the owner: a new team member can see when they accepted, and an admin can see the invitations they sent.