Core Concepts
Dooor OS is a multi-tenant deploy platform with native AI governance. Before you start deploying, it helps to understand five primitives the rest of the docs build on.
Organization vs Workspace
An Organization is the billing and member boundary - usually one per company. Inside it, a Workspace is the actual sandbox where projects, apps, agents, and databases live. Most teams have one workspace per environment (e.g. production, staging) or one per product line.
Every API call is workspace-scoped. The API key you generate is tied to one workspace - it cannot reach another workspace, even within the same organization.
Project
A Project groups related apps, databases, and agents that ship together. Think of it as a folder for one product (e.g. "checkout service"). Projects are organizational only - they do not add isolation. Apps in different projects can still share env vars or talk to each other if you wire them up.
App vs Agent vs Native App
Three different things can run in your workspace, often confused on day one.
| Type | What it is | When to use |
|---|---|---|
| App | Container built from your Git repo and deployed to the runtime cluster. | Web service, API, worker - anything you would deploy to Railway / Vercel / Render. |
| Agent | AI workflow built on the OpenClaw runtime, with tools and chat sessions. | LLM-driven assistant or background AI worker that uses Dooor tools. |
| Native App | First-party SaaS shipped by Dooor (Recap, AI Chat, Vaultly, Keychain, ...). | Pre-built tools you install into your workspace - no code from your side. |
Harbor (AI Governance)
Harbor is the governance layer for every LLM call your apps and agents make through Dooor. It records the trace, runs configurable guards (PII detection, prompt-injection checks, content policy), tracks token usage and cost, and exposes evals to score quality over time.
You do not enable Harbor explicitly - if your app or agent calls an LLM through the Dooor SDK or the OpenAI-compatible endpoint, Harbor sees it. The dashboard is at /harbor.
API Keys
API keys (dor_sk_*) authenticate every programmatic request. Each key is:
- Workspace-scoped - it only sees one workspace.
- Scope-limited - you pick which API surfaces it can hit (e.g.
apps.write,deploy.write). - Shown once - copy it the moment you create it. Lost keys must be revoked and replaced.
Permissions and Roles
Dooor OS uses RBAC at the workspace level. Each workspace ships with three system roles:
- Admin - full access, including managing members and roles.
- Member - everyday operator: deploy apps, manage env vars, run agents.
- Viewer - read-only access to the workspace.
You can create custom roles in Settings > Permissions and pick from the catalog of resource.action.scope permissions (e.g. app.read.all, env-var.read-secret.all). The same scopes apply to API keys.