Skip to content
Lamba
Sign In

Concepts

Core Concepts

Learn the Lamba terms that connect identity, access, operations, and growth workflows.

Before you start

Lamba docs use product-facing names consistently. Workspace is the operating and billing boundary. Project is the runtime product boundary. Lamba User is the person-level identity that can hold console access, product access, or both.

What you build

A Lamba integration connects five layers:

LayerMeaningCommon docs
Lamba UserThe global identity actor.Auth, sessions, profile, linked providers
WorkspaceThe builder-owned operating boundary.Team, billing, plans, settings
ProjectThe product/runtime boundary.Customer auth, roles, webhooks, growth
SessionThe current authenticated access path.Login, refresh, revoke, scoped access
EventA durable fact that downstream systems can consume.Webhooks, audit, campaign, loyalty

Implementation steps

  1. Start with the product surface the user enters.
  2. Map that surface to a Project.
  3. Decide whether the person is a Team Member, Project Member, or both.
  4. Use the Project role catalog for runtime access.
  5. Use webhooks and audit events for downstream automation instead of duplicating identity state.

Access model

Team Members control console access through Workspace roles and optional Project console roles. Project Members control runtime product access through Project roles. Promoting a user to Team Member changes console access only; it does not assign runtime Project roles.

Growth model

Growth workflows should consume identity facts rather than create a second customer graph. Campaigns, loyalty, segments, analytics, and notifications should stay attached to the same Lamba User, Project, environment, session, and event context.

Security and operational notes

  • Keep production and sandbox credentials separate.
  • Read effective authorization before showing privileged runtime UI.
  • Treat webhook payloads as immutable facts.
  • Keep audit and delivery logs tied to the Workspace and Project that produced them.

Troubleshooting

If an access decision is confusing, identify the surface first. Console access comes from Team Member context. Runtime product access comes from Project Member context. API calls should use token-scoped context on public customer hosts, not internal console headers.

  • Workspaces and Projects: /docs/concepts/tenant-project
  • Roles and Permissions: /docs/concepts/roles-permissions
  • Scoped Sessions: /docs/concepts/scoped-sessions
  • Growth Workflows: /docs/growth/overview