Subuser Management
Applies to: Organization (top-level user) Updated: 2026-07-02
Subusers are the callers under an organization. This article explains how an organization creates and manages subusers, sets their business identity and quota limits, and how a subuser's Keys and usage are aggregated.
For the capability boundaries of subusers, see Roles & Permissions Matrix; for the three-tier relationship, see Three-Tier Account Hierarchy.
1. What Is a Subuser
In the new console, a subuser is a usage entity under the Organization (top-level user). A subuser holds a Key to call models, and its consumption is charged to the organization balance pool. A subuser corresponds to a "team member" in the legacy console.
- A subuser can log in to the console, but its menu is narrowed to 5 items: Dashboard, API Keys, Call Guide, Usage Records, and Profile
- A subuser shares the organization balance pool; its consumption always deducts from the organization's (parent account's) balance
- The organization can set a quota limit for each subuser, capping its consumption
Prerequisite: You are already an Organization (top-level user). Only an organization account can access Subuser Management.
2. Feature Entry
After the organization logs in to the console, go to the left navigation bar → Subuser Management (/sub-users).
Once inside, you can see a list of all subusers under this organization. In the user list, subusers are tagged with a "Subuser" label to distinguish them from the organization itself.
3. Creating a Subuser
Steps
- On the Subuser Management page, click the "Create Subuser" entry
- In the dialog that pops up, fill in the business identity and quota information
- Confirm and submit; the list refreshes automatically, and the new subuser appears in it
Field Descriptions
| Field | Required | Description |
|---|---|---|
| Account name | Yes | Used to distinguish different subusers |
| Yes | For contact / identification | |
| Note | No | Free text, convenient for labeling purpose |
| Quota limit | No | The consumption cap for the subuser; see Section 5 |
Business Rules
- Currently there is no uniqueness check on account name / email within the same organization, so agree on a naming convention yourself to avoid confusion
- Newly created subusers automatically belong to the current organization
- After a subuser is created, it must complete registration with an activation code before it can log in (see Section 4)
4. Subuser Registration via Activation Code
Subusers do not register through the public registration page; instead, the organization creates them and they complete registration with an activation code:
- After the organization creates a subuser on the Subuser Management page, it obtains that subuser's activation code (the exact way to obtain and distribute it follows the actual console interface)
- Send the activation code to the corresponding member through a secure channel
- The member visits the activation page and, using the activation code, completes registration and sets login credentials
- Once activated, the member can log in to the console and access the narrowed 5-item menu
Communicate the activation code through a secure channel to avoid it being used by unauthorized people.
5. Setting a Quota Limit for a Subuser
The organization can set a quota limit when creating or editing a subuser, capping that subuser's consumption. A few key points for understanding quota:
- Quota is an allowance, not money: money is topped up uniformly to the organization balance pool; the quota limit only determines how much a subuser can spend at most
- Actual deduction is from the organization balance: when a subuser makes a call, what is actually deducted is the balance of its organization (parent account); the quota is only a cap
- Multiple Keys share the same quota limit: if a subuser has multiple Keys, those Keys share the same quota limit (i.e., the cumulative consumption count against the quota limit), rather than each Key being counted separately
- When the quota is exhausted, all Keys under the subuser are rejected together: once a subuser's quota is exhausted, all Keys under it will be rejected, not just one
For the full explanation of funds and quota, see Balance Management & Quota Allocation.
6. Managing Existing Subusers
In the subuser list, the organization can perform the following management on subusers:
6.1 Edit
Modify the subuser's account name, email, note, quota limit, and other information.
6.2 Disable / Enable
- After disabling, the subuser cannot log in or use services, and all Keys under it are also stopped
- After enabling, it returns to normal
- Disabling is one effective way to restrict a subuser's calls (another is to lower / exhaust its quota limit)
6.3 View Keys and Usage
The organization can view, for each subuser on the Subuser Management page:
- Keys under it: a subuser can create its own Keys (see Section 7), and the organization can also create and distribute them on its behalf; the organization can view the subuser's Key list
- Usage: the subuser's call usage and consumption
6.4 Delete
- After deletion, the subuser is removed from the organization
- ⚠️ Usage aggregation after deletion: after a subuser is deleted, its historical usage is aggregated to its organization and is no longer retained separately at the user level. If you need to keep per-user usage details, export or reconcile them before deletion.
7. Subuser Keys: Self-Service Creation Allowed
A subuser can create its own API Keys, and the organization can also create and distribute them on its behalf — the two approaches coexist:
- On the "API Keys" page (
/keys), a subuser can self-create multiple Keys, each named independently - When a subuser creates a Key, the routing group can only be chosen within the scope the organization has authorized to it (the dropdown lists only authorized groups)
- The multiple Keys under a subuser share the same quota limit (see Section 5), and actual deduction is from the organization balance
- The advanced "dispatch group allowlist" is exclusive to the organization; the field is not shown when a subuser creates / edits a Key
The organization can choose as needed: let subusers self-create Keys (constrained by authorized groups + quota limit), or have the organization create and distribute them uniformly. Either way, charges deduct from the organization balance.
For Key creation and routing group configuration details, see API Keys & Routing Groups.
8. About Invitations to Join
The legacy console's "invitation link / invitation management" has no corresponding entry yet in the new console. Please bring members in via "Create Subuser + activation code".
9. FAQ
Q: Can subusers create their own Keys? A: Yes. On the "API Keys" page, a subuser can self-create multiple Keys; the routing group can only be chosen within the organization's authorized scope. The organization can also create and distribute them uniformly. Either way, charges deduct from the organization balance.
Q: How do I restrict a specific subuser's calls? A: Two ways — disable the subuser account; or lower / exhaust its quota limit (when the quota is exhausted, all Keys under it are rejected together).
Q: Are a subuser's multiple Keys billed independently? A: No. All Keys under a subuser share the same quota limit, and actual deductions all come from the organization balance.
Q: After deleting a subuser, are its usage records still there? A: Usage is aggregated to its organization and no longer retained separately at the user level. If you need per-user details, reconcile or export them before deletion.
Q: Can the account name / email duplicate another subuser's? A: There is currently no uniqueness check within the same organization; the system will not block duplicates. We recommend agreeing on a naming convention to avoid confusion.
Q: Why does a subuser see so few menu items after logging in? A: The subuser menu is narrowed to 5 items (Dashboard, API Keys, Call Guide, Usage Records, Profile). It cannot see organization-exclusive entries such as Subuser Management, Purchase, or Orders; typing the URL directly will also redirect back to the Dashboard.
Q: How do I change my password? A: After logging in, go to the "Profile" page to change your password.
Contact Us
- Email: support_cloudrouter@clouditera.com
- QQ community: 712273971
- Website: cloudrouter.online