Invite users by email
Email invitations let you add users to your tenant without connecting an SSO directory. Use email invites for early-stage rollout, external contractors, or anyone not covered by your identity provider.
Sending invitations
Section titled “Sending invitations”- Open the Users page.
- Click Add users (top-right).
- Select the Invite tab.
- Enter one or more email addresses, separated by commas or newlines.
- (Optional) pre-fill:
- Role — default is User. Pick a higher role now if you want to avoid a follow-up change.
- Department — free-text string attached to the User record for analytics grouping.
- Click Send invitations.
Each invitation creates an Invitation row on the backend with:
- The email you entered
- The role and department (if you set them)
- A single-use token
- An expiry timestamp 7 days from now
Each invitee receives an email with a link:
https://app.inpolicy.ai/auth/accept-invitation?token=…What the invitee sees
Section titled “What the invitee sees”- They click the link. No sign-in required to open it.
- They see an Accept invitation page with a password form.
- They set a password and click Accept.
- Their user record moves from
PENDINGtoACTIVE. - They’re signed in and land on the policies list.
Invitees can also sign in via SSO later if your tenant supports it — their email is the primary key, so once a Google Workspace account with the same email signs in, the existing user record is reused.
Managing pending invitations
Section titled “Managing pending invitations”Pending invitations show up on the Users page filtered to status Pending. From each row, you can:
- Resend the invitation email — useful if the original went to spam or was missed.
- Revoke the invitation — invalidates the token. The invitee’s link will show “Invitation expired.”
Pending invitations automatically expire after 7 days. Expired invitations remain in the list (so you can see who was invited and never accepted) but the token no longer works.
There is no dedicated Invitations page yet — pending invites are managed from within the Users list filter. That’s on the roadmap.
Bulk invite
Section titled “Bulk invite”Paste up to 100 emails at once into the Invite modal. The form validates format and de-dupes against existing users before sending.
If any emails are already associated with an active user on your tenant, the modal highlights them and won’t send a duplicate invitation.
Invitation vs. SSO directory import
Section titled “Invitation vs. SSO directory import”You have two ways to add users:
| Invitation | SSO import | |
|---|---|---|
| Requires the user to act | Yes — click a link and set a password | No — admin selects users from directory |
| Works for users outside your Google/Microsoft org | Yes | No |
| Uses SSO for sign-in | Only if email matches SSO domain | Yes |
| Handles onboarding at scale | OK up to ~100 | Better for 100+ |
| Good for external contractors | ✓ | ✗ |
For a medium-to-large rollout, connect SSO and import users from your directory. For early-stage or mixed fleets, email invitations are simpler.
Gotchas
Section titled “Gotchas”- Tokens expire after 7 days. There’s no way to extend an existing token — resend the invitation, which issues a new one.
- Tokens are single-use. If an invitee clicks their link, accepts, and then clicks the link again later, they’ll see an “already used” error. That’s expected — tell them to sign in normally at
app.inpolicy.ai. - You can’t invite an existing user. If the email already exists on your tenant, the invite is rejected. Change their role on the Users page instead.
- Emails go out via the same transactional mail provider that handles SSO and password-reset emails. If invites aren’t arriving, check your org’s spam filters first, then contact support.
- Revoking doesn’t delete an already-accepted invitation. Once accepted, the user exists and must be deactivated or deleted from the Users page, not the invitations list.
Related
Section titled “Related”- Users and roles
- Directory sync — the alternative, better-at-scale path