GetPaidX docs

The end-user manual for public and signed-in product features.

Search docs

Keyword search across docs titles, summaries, headings, and curated keywords.

API and Account ControlsUpdated 2026-06-13

Account Delegation and Acting on Behalf

How trusted delegates accept invitations, start and stop acting sessions, use baseline and payout scopes, and understand direct-session-only boundaries.

Account Delegation and Acting on Behalf

Where you see this in the app

Delegation controls live at Settings -> Delegation.

Use delegation when a trusted person should operate your account in the browser without sharing your password, email inbox, Stripe login, or private credentials.

The page has four main areas:

UI areaWhat it is for
Invite a delegateLet another signed-in user act for your account
Accept invitationAccept or reject a delegation token sent to you
Delegates for this accountSee and revoke people who can act for you
Accounts you can act forStart acting for an account that invited you

Principal, actor, and session meaning

Delegation uses two identities:

TermPlain-English meaning
PrincipalThe account being acted for
ActorThe signed-in person doing the work

When an actor starts acting, the browser session behaves like the principal for ordinary product flows. The app still keeps actor metadata so the session can be shown as delegated and stopped later.

Delegation is a browser-session feature. It is not PAT impersonation, and it does not turn the actor into the direct owner of the principal's account.

Inviting and accepting

The account owner invites a delegate by email. The owner can optionally allow payout management when creating the invite.

If email delivery is available, GetPaidX sends the invitation. The page can also show a token/acceptance path for manual sharing.

The invited user signs in as their own account, enters the token, and chooses to accept or reject the invitation. Accepted grants appear under Accounts you can act for; pending or accepted grants for your account appear under Delegates for this account.

An owner can revoke a grant later. Revocation removes the actor's ability to start new delegated sessions for that account.

Delegation scopes

V1 delegation has a baseline permission plus one elevated permission.

Scope labelWhat it allows
account.delegateOrdinary account, workspace, organization, billing, checkout, profile, and content flows where the principal is allowed
payouts.manageStripe Connect and payout identity flows that explicitly allow delegated payout management

The UI may show friendlier labels, but these scope names are useful when troubleshooting permission messages.

Credential custody is not part of V1 delegation. Workspace secrets, OAuth client configs/connections, external-channel credentials, PATs, webhooks, delegation management, and platform admin actions still require a direct owner/admin session.

What delegates can do

A delegate with the baseline permission can generally use ordinary browser product flows for the principal, including:

  • profile and content work,
  • workspace and post workflows,
  • checkout and AI-credit flows,
  • organization billing workflows where the principal is allowed,
  • buyer/subscription-style account actions that do not require direct-owner custody.

If the grant also includes payout management, the delegate can access payout-oriented surfaces that explicitly accept payouts.manage.

Delegation does not bypass normal access checks. If the principal could not use a workspace, organization, or billing action directly, the delegated session should not unlock it just because an actor is operating the browser.

Direct-session-only areas

Some areas deliberately require the real account owner or a direct platform admin session.

Direct-session-only areas include:

  • creating or revoking delegation grants,
  • platform admin,
  • personal access tokens and webhooks,
  • workspace secrets,
  • OAuth client configs and connections,
  • external-channel credentials,
  • credential custody flows reserved for a future delegation slice.

If you see a message that a direct session is required, stop acting and sign in directly as the owner account that controls the setting.

Starting and stopping acting

Use Start acting from Accounts you can act for to enter a delegated session.

While acting, the page shows a Currently acting panel with the principal account and granted scopes. Use Stop acting before:

  • switching to a different delegated account,
  • creating or revoking delegation grants,
  • managing direct-session-only credential settings,
  • returning to your own account's normal browser session.

Nested delegated sessions are not supported. Stop the current delegated session before starting another one.

Related docs

    Account Delegation and Acting on Behalf | GetPaidX docs | GetPaidX