Start
Core concepts
Understand the ScopeHold object model: billing account, workspace, project, provider, secret, member, agent, role, grant, and audit event.
Updated May 22, 2026
ScopeHold keeps commercial ownership, operational scoping, and direct secret access separate. That separation is what lets a small team move quickly without sharing raw credentials in chat or local files.
- Billing account
- The commercial container for plan, seats, billing, workspace limits, and billing admins.
- Workspace
- The top-level operational boundary. A workspace contains projects, members, agents, providers, secrets, and audit events.
- Project
- An operating area inside a workspace. Project-scoped resources are isolated from sibling projects.
- Provider
- A namespace for an external system such as Supabase, GitHub, Stripe, Cloudflare, or a generic credential group.
- Secret
- An encrypted credential value under a provider, such as an API key or login credential.
- Member
- A human with access to a workspace or project. Members are managed in the main app access surfaces.
- User
- A billable human under a plan or billing account. Use this term for seats, pricing, and billing surfaces.
- Agent
- A non-human runtime identity that can be assigned to projects, receive roles, and resolve directly granted secrets.
How scope works
- Workspace resources can be made available across the workspace and assigned into projects.
- Project resources belong to one project and do not leak into sibling projects.
- Agents belong to projects and only resolve secrets they can see and have been directly granted.
- Audit events are scoped to the selected project or workspace view so the page title matches what is being displayed.