Share the whole sandbox
A teammate can read everything in the sandbox, run any agent, and (if you trust them) build new agents and sources alongside you. Right when they’re collaborating on the whole context.
Share one agent
Let a teammate, an end user, or an embedded widget run one specific agent without seeing anything else.
Roles in a shared sandbox
Every sandbox has one owner. When you share it, the people you invite get one of two roles:| Role | What they can do |
|---|---|
| Owner (you) | Everything — read, run, build, archive, delete. |
| Editor | Read everything, run any agent, build new agents and sources. Cannot destroy. |
| Viewer | Read everything, run any agent. Cannot change anything. |
What collaborators bring with them
When someone joins your sandbox, they sign in with their own Copass identity. That means:- Their connected integrations (their Slack, their GitHub, their Gmail) stay theirs.
- The shared sandbox shows up in their account alongside their own work, with the role tag visible.
- They can collaborate on your sandbox in their morning, and on their own in the afternoon, without juggling tokens.
What stays separate
Sandbox sharing is about human collaborators. Two adjacent concepts that look similar but aren’t:- End users of your app — the individual humans your application serves, identified inside one sandbox by
endUserId. Different problem; different docs. See Multi-tenancy. - Provider portability — switching the agent runtime between Anthropic and Google has nothing to do with who can access the sandbox. See Portable Context.
endUserId is between the users of your application.
Next steps
- Sharing context — what it’s like to invite a teammate into a sandbox.
- Sharing agents — invoke and delegate keys, and when each one fits.
- Concierge — the natural-language way to invite, list, and revoke.