Access Control & Permissions

The Account & Security section defines how your identity is represented in Origin, how teams are managed, and how billing and usage are tracked.

These settings do not change how agents write code or how sessions execute. Instead, they define who can access what, how credits are consumed, and how your team is organized.

The Settings sidebar contains eight sections:

• Profile: personal identity and email settings
• Security: passkeys and hardware security keys
• Team: team name, members, and invitations
• Team Billing: credits, plans, and billing history
• Team Usage: resource consumption and cost breakdown
• Referrals: referral link and reward tracking
• GitHub: GitHub connection and repository access
• Projects Trash: deleted projects available for restoration
• Notifications: delivery preferences and notification family toggles

Profile

The Profile page manages your personal identity and email settings inside Origin.

Here you can update:

• Your avatar (maximum 5 MB)
• Your display name

Your display name appears throughout the platform: in tasks, sessions, accepted diffs, and team member lists. If multiple developers are collaborating on the same project, this is how activity is attributed.

Linked Emails shows the email address associated with your account, along with its verification status and authentication method (for example, OAuth via GitHub). Email is managed through your authentication provider. To change it, update it in your provider's settings and sign in again.

The Danger Zone allows permanent deletion of your account and all associated data. This action cannot be undone.

Security

The Security page manages passkeys and hardware security keys for passwordless sign-in.

Registered Security Keys

The Registered Security Keys section lists all passkeys and hardware security keys currently linked to your account. When no keys have been added yet, it shows an empty state prompting you to register one.

Registering a Security Key

Click + Register Security Key to add a new key. This opens the registration flow where you can give the key an optional name (for example, "MacBook Touch ID" or "YubiKey 5") to identify it later, then complete registration through your identity provider.

Supported key types include:

• Passkeys: device-based authentication such as Touch ID, Face ID, or Windows Hello
• Hardware security keys: physical keys such as a YubiKey

Once registered, the key appears in the Registered Security Keys list and can be used for passwordless sign-in.

Team Settings

Every project in Origin belongs to a team, which defines collaboration boundaries.

From Team Settings, you can:

• Edit your team name
• View and manage members
• Manage pending invitations

Members

The Members list shows each person on your team along with their role and email. You can invite new users by email directly from this page using the Invite button.

Pending Invitations

Invitations that have been sent but not yet accepted appear under Pending Invitations. You can revoke any pending invite from this view if access is no longer needed before the person joins.

Deleting a Team

The Danger Zone allows permanent deletion of the team and all associated projects. This action is irreversible.

Team Billing

The Team Billing page manages your credit balance and usage costs.

It shows:

• Your current billing model (usage-based)
• Team member count and platform access status
• Origin Credits balance, how many have been used and how many remain

From this page you can:

• Add Credits: purchase a one-time credit pack for new runs, workspaces, and trials
• Redeem a Voucher: apply a voucher code to add credits to your current balance

Recent Activity shows the latest credit purchases, redemptions, and usage events, with timestamps and credit amounts per event.

Team Usage

The Team Usage page lets you monitor resource consumption across your team.

It displays:

• Agent runs, sessions, total tokens, and total cost over the last 30 days
• Token Consumption by Project: a time-series chart of tokens used per project, filterable by the last 7 days
• Workspace Runtime: a breakdown per project showing resources (CPU/GB), hours, hourly rate, and total cost
• Sandbox Costs: billing details for sandbox usage once workspaces have been active

Referrals

The Referrals page tracks your invite activity and rewards.

It shows:

• How many of your invites have been used out of your total capacity
• Pending, successful, and total reward counts

Each account gets a unique referral link you can copy and share. Rewards are earned for each successful referral that completes onboarding.

Referral Activity lists the accounts that joined using your link along with their current status.

GitHub

The GitHub page manages your GitHub connection and controls which repositories Origin can access.

Two options are available:

App Permissions: opens a modal to review and manage which repositories the GitHub app can access for your personal account and any organizations you belong to.

GitHub Settings: opens your GitHub app settings directly on GitHub in a new tab.

Managing Repository Access

The App Permissions modal shows:

• An Organization dropdown to switch between your personal account and any GitHub organizations
• The currently selected Account with a connected status indicator
• Current Permissions listing all repositories the app has access to, including private repositories, each shown with a green checkmark

Repository access is controlled through GitHub app settings directly, it cannot be changed from within Origin. The modal provides a GitHub Settings button to open the relevant GitHub page.

If you need to install the app on an additional organization, use the Install on Another Organization button at the bottom of the modal.

Projects Trash

The Projects Trash page contains deleted projects.

Projects moved to trash can be restored at any time. If a project was accidentally deleted, restoration brings it back without requiring a full reimport.

Notifications

The Notifications page controls which events are stored, surfaced in the bell, and how they are delivered.

Delivery

Two delivery options are available:

• Browser notifications: sends notifications to your browser. This requires browser permission, which you can grant directly from this page. Once granted, a "Granted" badge appears next to the toggle.
• Notification sound: plays a subtle tone when new notifications arrive in-app. Sound is only available in-app and does not apply to browser notifications.

Each option can be toggled on or off independently.

Notification Families

Notification families let you control which categories of events you receive. Disabling a family stops it from being stored or delivered in real time, events in that family are dropped entirely.

The available families are:

• Agent Run: fires when an OpenCode or Copilot session completes or fails. This notification fires on session completion, so the tab does not need to stay open for you to receive it.
• Credits: sends low balance alerts so you are aware before a run pauses mid-task due to insufficient credits.
• BetterStack Diagnostics: covers scheduled and manual log scans from BetterStack.
• Security Scan: notifies you about Shannon pentest pipeline results for the repository.

Each family has its own toggle. Families that are turned off will not appear in the bell or trigger any delivery.

History

The History section shows past notifications. You can filter by All or Unread, and further narrow by notification family using the All families dropdown. Opening the bell does not automatically mark notifications as read, read state is always set manually. Use Mark All Read to clear the unread count at once.

Team Membership and Project Access

For any project interaction to succeed:

1. You must be authenticated.
2. You must belong to the team that owns the project.

If either condition is not met, the action cannot proceed. If your session expires, you must reauthenticate before continuing work.