Account Delegation and Acting on Behalf
How trusted delegates accept invitations, start and stop acting sessions, use baseline and payout scopes, and understand direct-session-only boundaries.
Account Delegation and Acting on Behalf
Where you see this in the app
Delegation controls live at Settings -> Delegation.
Use delegation when a trusted person should operate your account in the browser without sharing your password, email inbox, Stripe login, or private credentials.
The page has four main areas:
| UI area | What it is for |
|---|---|
Invite a delegate | Let another signed-in user act for your account |
Accept invitation | Accept or reject a delegation token sent to you |
Delegates for this account | See and revoke people who can act for you |
Accounts you can act for | Start acting for an account that invited you |
Principal, actor, and session meaning
Delegation uses two identities:
| Term | Plain-English meaning |
|---|---|
| Principal | The account being acted for |
| Actor | The signed-in person doing the work |
When an actor starts acting, the browser session behaves like the principal for ordinary product flows. The app still keeps actor metadata so the session can be shown as delegated and stopped later.
Delegation is a browser-session feature. It is not PAT impersonation, and it does not turn the actor into the direct owner of the principal's account.
Inviting and accepting
The account owner invites a delegate by email. The owner can optionally allow payout management when creating the invite.
If email delivery is available, GetPaidX sends the invitation. The page can also show a token/acceptance path for manual sharing.
The invited user signs in as their own account, enters the token, and chooses to accept or reject the invitation. Accepted grants appear under Accounts you can act for; pending or accepted grants for your account appear under Delegates for this account.
An owner can revoke a grant later. Revocation removes the actor's ability to start new delegated sessions for that account.
Delegation scopes
V1 delegation has a baseline permission plus one elevated permission.
| Scope label | What it allows |
|---|---|
account.delegate | Ordinary account, workspace, organization, billing, checkout, profile, and content flows where the principal is allowed |
payouts.manage | Stripe Connect and payout identity flows that explicitly allow delegated payout management |
The UI may show friendlier labels, but these scope names are useful when troubleshooting permission messages.
Credential custody is not part of V1 delegation. Workspace secrets, OAuth client configs/connections, external-channel credentials, PATs, webhooks, delegation management, and platform admin actions still require a direct owner/admin session.
What delegates can do
A delegate with the baseline permission can generally use ordinary browser product flows for the principal, including:
- profile and content work,
- workspace and post workflows,
- checkout and AI-credit flows,
- organization billing workflows where the principal is allowed,
- buyer/subscription-style account actions that do not require direct-owner custody.
If the grant also includes payout management, the delegate can access payout-oriented surfaces that explicitly accept payouts.manage.
Delegation does not bypass normal access checks. If the principal could not use a workspace, organization, or billing action directly, the delegated session should not unlock it just because an actor is operating the browser.
Direct-session-only areas
Some areas deliberately require the real account owner or a direct platform admin session.
Direct-session-only areas include:
- creating or revoking delegation grants,
- platform admin,
- personal access tokens and webhooks,
- workspace secrets,
- OAuth client configs and connections,
- external-channel credentials,
- credential custody flows reserved for a future delegation slice.
If you see a message that a direct session is required, stop acting and sign in directly as the owner account that controls the setting.
Starting and stopping acting
Use Start acting from Accounts you can act for to enter a delegated session.
While acting, the page shows a Currently acting panel with the principal account and granted scopes. Use Stop acting before:
- switching to a different delegated account,
- creating or revoking delegation grants,
- managing direct-session-only credential settings,
- returning to your own account's normal browser session.
Nested delegated sessions are not supported. Stop the current delegated session before starting another one.
Related docs
Previous
Organizations, Billing Groups, and Pro Seats
How organization rosters, roles, invitations, shared AI-credit wallets, org-billed usage, Pro seat subscriptions, and seat assignments work.
Next
Custom Domains and Branded Hosts
How branded hosts are requested, what the DNS and Bind steps mean, and what changes once your domain is live.