Removing team members

How to remove a member from your ADO Pilot org, the 24-hour stale-session window, and why you cannot remove yourself.

Last updated

Admins remove members from the Team settings page. The removed user's membership is deleted immediately, but an already-signed-in browser session can remain valid for up to 24 hours. You cannot remove yourself.

ADO Pilot has three organization roles. The Role permissions card on the Team settings page in the dashboard shows each role's description.

  • Admin — Full access to all settings, billing, team management, and repository configuration.
  • Member — Can view reviews. Cannot configure repository settings, change organization settings, manage members, or change notification settings.
  • Viewer — Read-only access to review history and repository status. Cannot change settings.
CapabilityAdminMemberViewer
View dashboard, reviews, and findingsYesYesYes
View repository status and integration pageYesYesYes
View team membersYesYesYes
View pending invitesYesNoNo
View billing and subscriptionYesYesYes
Configure repository settingsYesNoNo
Change notification settingsYesNoNo
Test webhooksYesNoNo
Invite team membersYesNoNo
Cancel pending invitesYesNoNo
Remove team membersYesNoNo
Start Stripe checkoutYesNoNo
Open the Stripe billing portalYesNoNo
Change the overage capYesNoNo

Remove a member

    Step 1 — Open the Team page

    In the dashboard, go to Settings → Team.

    Step 2 — Find the member

    Locate the row in the Members list. Double-check the email — a confirmation dialog will ask you to confirm before the removal takes effect.

    Step 3 — Open the row's action menu

    At the end of each member row is a three-dot dropdown trigger (the icon). Click it to open the action menu, then choose Remove member. A confirmation dialog ("Remove [member name]?") appears — click Remove member to confirm or Cancel to abort. Once confirmed, access is removed immediately and cannot be undone. The user account itself is preserved on a successful removal so review history and audit logs stay intact.

What changes immediately

As soon as removal succeeds:

  • Their membership row is deleted and the org pointer on their account is cleared, so a fresh sign-in has no org to land in. An already-open browser session is not invalidated immediately — see The 24-hour stale-session window below.
  • Removing a member has no effect on billing. ADO Pilot bills by monthly review credits (RCs), not by the number of team members — see Plan tiers.
  • They no longer appear in the Team page or in audit lists for this org.

Removal affects only this org. It doesn't touch the person's underlying ADO Pilot account, which they're still free to use to sign in to — or later join — a different org.

The 24-hour stale-session window

ADO Pilot's portal authenticates with a JWT-strategy session whose maxAge is 24 hours. A removed user retains their session for up to 24 hours from when they last signed in — not from the moment of removal — and the role and org membership baked into the JWT are not re-validated on every request. In the worst case the cookie is brand-new at removal time and stays valid for nearly the full 24 hours; if they signed in earlier in the day, the remaining window is correspondingly shorter.

In practice this means:

  • A removed user's open browser tab can still load pages it has already cached and replay requests that the server-side authorization layer happens to allow.
  • A removed member or viewer still gets the usual 403 on admin-only mutations, since their JWT no longer carries an admin role. A removed admin, however, keeps their admin role baked into the JWT and can still perform admin actions on this org until the session expires — which is exactly why an emergency lock-out needs the IdP step below, not just removal from ADO Pilot.
  • Once the user signs out, closes the tab, or hits the 24-hour expiry, they can no longer access this org. A fresh sign-in still succeeds — the account itself is not disabled — but finds no membership record, so it lands in the signed-in-but-no-org state instead of this org's dashboard.

You cannot remove yourself

In the dashboard, the Remove member option is greyed out for your own row, so you can't start this action there. The remove endpoint also refuses it server-side as a backstop: whether a direct API call targets your own user ID or the literal sentinel self, the response is:

  • HTTP 400
  • Body: { "error": "Cannot remove yourself" }

This is intentional — leaving an org with no admins would lock everyone out of billing and team management. To leave the org yourself, ask another admin to remove you. If you are the only admin, you cannot remove yourself — first promote another member to admin using the Change role option in the three-dot action menu, then ask them to remove you (or remove yourself once you are no longer the last admin). Contact ADO Pilot support if you need further help restructuring your org's admin access.

Last-admin protection

In the dashboard, Remove member (and Change role) are greyed out for the last remaining admin's row, so you can't start the action there either. Attempting it directly against the API returns an error:

  • HTTP 409
  • Body: { "error": "Cannot remove the last admin" }

At least one admin must remain in the org at all times. To remove the last admin, first promote another member to admin using the Change role option in the three-dot action menu, then remove the original admin.

Re-adding a removed member

A removal is final but not permanent — you can invite the same email back at any time. See Inviting team members. The new invite creates a fresh membership row when accepted; prior review history attributed to that user remains in your org's audit trail under their original user ID.