Admin Guide

Everything you need to manage your Karnyx organization: user roles, single sign-on, directory sync, data governance, and usage monitoring. This guide is intended for workspace owners and administrators.

Organization Management

An organization is the top-level container in Karnyx. All users, meetings, recordings, and settings belong to exactly one organization. The first user to sign up creates the org and becomes the Owner.

Organization Settings

Navigate to Settings > Organization to manage core org-level settings:

Display name: Your company or team name, shown in shared summaries and exports.
Default timezone: Used for meeting scheduling and report generation when a user has no timezone set.
Logo: Upload a company logo for branded exports and the login screen (Enterprise plan).
Allowed email domains: Restrict sign-ups to specific domains (e.g., @yourcompany.com). Users with non-matching emails cannot join.
Default capture mode: Set whether new users default to Ghost Mode or Bot Mode for meeting capture.

Inviting Users

Owners and Admins can invite users via Settings > Members > Invite. You can invite by email address or share an invite link. When using SCIM directory sync, users are provisioned automatically.

// Invite via API
POST /api/v1/org/invites
{
  "emails": ["alice@company.com", "bob@company.com"],
  "role": "MEMBER",
  "message": "Welcome to Karnyx! Connect your calendar to get started."
}

// Response
{
  "invites": [
    { "email": "alice@company.com", "status": "sent", "expires_at": "2025-02-17T14:30:00Z" },
    { "email": "bob@company.com", "status": "sent", "expires_at": "2025-02-17T14:30:00Z" }
  ]
}

Invite expiration

Email invites expire after 7 days. If an invite is not accepted, Admins can resend it from the Members page. Invite links do not expire but can be revoked at any time.

Roles & Permissions

Karnyx uses a four-tier role system. Each user in the organization is assigned exactly one role. Roles are hierarchical: higher roles inherit all capabilities of lower roles.

Capability	OWNER	ADMIN	MEMBER	VIEWER
Capture meetings	Yes	Yes	Yes	No
View own meetings	Yes	Yes	Yes	Yes
View all org meetings	Yes	Yes	No	No
Create and edit notes	Yes	Yes	Yes	No
Manage action items	Yes	Yes	Yes	No
Configure integrations	Yes	Yes	No	No
Manage webhooks	Yes	Yes	No	No
Invite and remove users	Yes	Yes	No	No
Change user roles	Yes	Yes	No	No
Configure SSO / SCIM	Yes	Yes	No	No
View audit logs	Yes	Yes	No	No
Set data retention policies	Yes	No	No	No
Manage billing and plan	Yes	No	No	No
Delete organization	Yes	No	No	No
Transfer ownership	Yes	No	No	No

Owner role is unique

Each organization has exactly one Owner. Ownership can be transferred to another user via Settings > Organization > Transfer Ownership, but only the current Owner can initiate this. This action requires email confirmation and cannot be undone without the new Owner's cooperation.

SSO Setup

Karnyx supports Single Sign-On via SAML 2.0 and OpenID Connect (OIDC), powered by WorkOS. SSO is available on the Pro and Enterprise plans.

SAML 2.0 Configuration

Navigate to Settings > Security > Single Sign-On.
Click "Configure SAML".
Copy the ACS URL (Assertion Consumer Service) and Entity ID from the Karnyx setup screen. You will need these in your identity provider.
In your IdP (Okta, Azure AD, OneLogin, etc.), create a new SAML application and paste the ACS URL and Entity ID.
Download the IdP metadata XML or copy the SSO URL, Certificate, and Issuer values.
Paste the IdP metadata into the Karnyx setup form and click "Save".
Test the connection by clicking "Test SSO Login". This opens a new browser window and attempts to authenticate through your IdP.

// SAML configuration values provided by Karnyx
{
  "acs_url": "https://auth.karnyx.ai/saml/acs/org_k2l3m4n5",
  "entity_id": "https://auth.karnyx.ai/saml/org_k2l3m4n5",
  "name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
  "attribute_mapping": {
    "email": "user.email",
    "first_name": "user.firstName",
    "last_name": "user.lastName",
    "department": "user.department"
  }
}

OIDC Configuration

For identity providers that support OpenID Connect (Google Workspace, Auth0, etc.):

Navigate to Settings > Security > Single Sign-On.
Click "Configure OIDC".
Enter your IdP's Discovery URL (/.well-known/openid-configuration endpoint).
Provide the Client ID and Client Secret from your IdP.
Click "Save" and test the connection.

Enforcing SSO

After verifying that SSO works, you can enforce it for all users by toggling "Require SSO" in the security settings. When enforced, email/password login is disabled and all users must authenticate through your identity provider. The Owner account always retains password access as a break-glass mechanism.

SCIM Directory Sync

SCIM (System for Cross-domain Identity Management) allows you to automatically provision and deprovision Karnyx users from your corporate directory. When an employee joins or leaves your company, their Karnyx access is updated automatically. SCIM is available on the Enterprise plan.

Setting Up SCIM

Navigate to Settings > Security > Directory Sync.
Click "Enable SCIM". Karnyx generates a SCIM endpoint URL and a Bearer token.
Copy the endpoint URL and token into your directory provider (Okta, Azure AD, OneLogin, JumpCloud, etc.).
In your directory provider, assign the Karnyx application to the groups that should have access.
Trigger an initial sync. Karnyx will create accounts for all assigned users.

// SCIM endpoint configuration
{
  "scim_url": "https://api.karnyx.ai/scim/v2/org_k2l3m4n5",
  "bearer_token": "scim_••••••••••••••••••••••",
  "supported_resources": ["Users", "Groups"],
  "operations": [
    "CREATE user  → provisions Karnyx account with MEMBER role",
    "UPDATE user  → syncs name, email, department, and active status",
    "DELETE user  → deactivates Karnyx account (data retained per policy)",
    "CREATE group → maps to Karnyx team for meeting visibility",
    "UPDATE group → syncs group membership changes"
  ]
}

Deactivation vs. deletion

When a user is removed via SCIM, their Karnyx account is deactivated, not deleted. Meeting data, notes, and recordings they created are preserved according to your data retention policy. An Admin can permanently delete the account and its data if needed.

Data Retention Policies

Karnyx allows organization Owners to configure how long meeting data is retained. These policies help you comply with internal governance requirements and regulations like GDPR.

Configurable Retention Categories

Data Type	Default Retention	Configurable Range
Audio recordings	90 days	30 days – Unlimited
Transcripts	Unlimited	90 days – Unlimited
AI summaries	Unlimited	90 days – Unlimited
Notes and highlights	Unlimited	90 days – Unlimited
Action items	Unlimited	90 days – Unlimited
Voice fingerprints	Unlimited	90 days – Unlimited
Audit logs	1 year	90 days – 7 years
Webhook delivery logs	30 days	7 days – 90 days

Configure retention policies in Settings > Organization > Data Retention. When data reaches the end of its retention period, it is permanently and irreversibly deleted from all Karnyx systems, including backups, within 30 days.

Retention changes apply retroactively

If you shorten a retention period, existing data that exceeds the new limit will be scheduled for deletion. Karnyx shows a confirmation dialog with the number of affected records before applying the change. This action cannot be undone.

Audit Logs

Karnyx maintains a comprehensive audit trail of all significant actions within your organization. Audit logs are immutable and cannot be modified or deleted by any user, including Owners.

Audited Events

User sign-in and sign-out (including SSO and failed attempts)
User invitation, role change, deactivation, and deletion
Meeting capture start and stop
Meeting data access (who viewed a transcript, summary, or recording)
Meeting data export and sharing
Integration connection and disconnection (calendar, Slack, webhooks)
Webhook creation, modification, and deletion
SSO and SCIM configuration changes
Data retention policy changes
Organization settings changes
API key creation and revocation

Log Entry Format

// Example audit log entry
{
  "id": "aud_r3s4t5u6v7",
  "timestamp": "2025-02-10T14:32:15Z",
  "actor": {
    "user_id": "usr_a1b2c3",
    "email": "admin@company.com",
    "role": "ADMIN",
    "ip_address": "203.0.113.42",
    "user_agent": "Karnyx Desktop/1.2.0 (macOS 14.3)"
  },
  "action": "user.role_changed",
  "resource": {
    "type": "user",
    "id": "usr_d4e5f6",
    "email": "alice@company.com"
  },
  "details": {
    "previous_role": "MEMBER",
    "new_role": "ADMIN",
    "reason": "Promoted to team lead"
  }
}

Exporting Audit Logs

Audit logs can be exported as CSV or JSON from Settings > Security > Audit Logs > Export. You can filter by date range, actor, action type, and resource type before exporting. On the Enterprise plan, you can also stream audit logs to an external SIEM via a webhook.

SIEM integration

Enterprise organizations can configure a dedicated webhook endpoint to receive audit log events in real time. This integrates with Splunk, Datadog, Sumo Logic, and other SIEM platforms. Configure this in Settings > Security > Audit Logs > SIEM Export.

Usage Limits by Plan

Each Karnyx plan includes different limits for meetings, storage, and features. The table below shows the limits for each plan tier.

Feature	FREE	PERSONAL	PRO	ENTERPRISE
Monthly meeting captures	5	50	Unlimited	Unlimited
Max meeting duration	30 min	2 hours	4 hours	8 hours
Recording storage	1 GB	25 GB	100 GB	Unlimited
Users per organization	1	1	50	Unlimited
AI summary templates	3 built-in	All 7 built-in	7 + 10 custom	Unlimited
Voice fingerprint profiles	5	25	200	Unlimited
Webhook endpoints	—	2	10	25
API access	—	Read-only	Full	Full
SSO (SAML / OIDC)	—	—	Yes	Yes
SCIM directory sync	—	—	—	Yes
Audit log retention	7 days	30 days	1 year	7 years
Data retention customization	—	—	Yes	Yes
Priority support	—	Email	Email + Chat	Dedicated CSM
Price per user/month	$0	$19	$39	Custom

Usage dashboard

Monitor your organization's usage against plan limits in real time at Settings > Organization > Usage. Karnyx sends email alerts when you reach 80% and 95% of any limit. Owners can upgrade the plan directly from the usage page.

Webhooks & Zapier API Reference