Summary and recommendation
Klaviyo user management can be run manually, but complexity usually increases with role models, licensing gates, and offboarding dependencies. This guide gives the exact mechanics and where automation has the biggest impact.
Klaviyo is a marketing automation platform with a fixed, role-based permission model: Owner, Admin, Manager, Analyst, and Content Creator. User seats are unlimited and carry no per-seat cost - billing scales with active profile count, not headcount. SSO must be configured before SCIM provisioning can be activated.
User management lives at Account → Settings → Users.
Quick facts
| Admin console path | Account (top-right avatar) → Settings → Users |
| Admin console URL | Official docs |
| SCIM available | Yes |
| SCIM tier required | Paid plans |
| SSO prerequisite | Yes |
User types and roles
| Role | Permissions | Cannot do | Plan required | Seat cost | Watch out for |
|---|---|---|---|---|---|
| Owner | Full account access including billing, account deletion, all settings, all features, and user management. Only one Owner per account. | Cannot transfer ownership via self-service UI in most cases; ownership transfer requires contacting Klaviyo support. | All plans | No per-seat fee; pricing is based on active profiles, not user seats. | Only one Owner role exists per account. If the Owner leaves the company, regaining access requires contacting Klaviyo support. |
| Admin | Full access to all features, campaigns, flows, lists, segments, integrations, and account settings. Can invite and remove other users (except Owner). | Cannot manage billing or delete the account. Cannot modify the Owner's role. | All plans | No per-seat fee. | Admins can invite other Admins, which can lead to unintended privilege escalation if not monitored. |
| Manager | Can create and edit campaigns, flows, lists, segments, templates, and integrations. Can view reports. | Cannot manage users, access billing, or modify account-level settings. | All plans | No per-seat fee. | |
| Analyst | Read-only access to reporting, campaigns, flows, lists, and segments. Can view but not edit. | Cannot create or edit any content, manage users, or access billing. | All plans | No per-seat fee. | |
| Content Creator | Can create and edit email and SMS templates. Limited to template/content creation tasks. | Cannot send campaigns, manage lists, access reporting, manage users, or access billing. | All plans | No per-seat fee. | Role is narrowly scoped; users needing to both create content and view performance data require a higher role. |
| Custom (Partner/Agency sub-account access) | Agency partners can be granted access to client accounts via the Klaviyo Partner Portal with configurable access levels. | Scope depends on what the account Owner/Admin grants. | Requires Klaviyo Partner Program membership for the agency. | No per-seat fee on client account. | Partner access is managed separately from internal user roles; partners appear in the Users list but are managed via partner portal. |
Permission model
- Model type: role-based
- Description: Klaviyo uses a fixed set of predefined roles (Owner, Admin, Manager, Analyst, Content Creator). There are no custom roles or granular permission toggles available to account administrators. Each role maps to a fixed permission set defined by Klaviyo.
- Custom roles: No
- Custom roles plan: Not documented
- Granularity: Role-level only; no per-feature or per-object permission overrides available to admins.
How to add users
- Log in to Klaviyo and click your account name/avatar in the bottom-left corner.
- Navigate to Settings → Users.
- Click 'Invite User'.
- Enter the invitee's email address.
- Select the appropriate role (Admin, Manager, Analyst, Content Creator).
- Click 'Send Invite'.
- The invitee receives an email invitation and must accept it to gain access. If they do not have a Klaviyo account, they will be prompted to create one.
Required fields: Email address, Role selection
Watch out for:
- Invitations expire if not accepted; a new invite must be sent if the original expires.
- The invitee must use the exact email address the invite was sent to when creating or logging into their Klaviyo account.
- Only Owners and Admins can invite new users.
- There is no bulk CSV import for inviting multiple users simultaneously via the UI.
- If SSO is enforced on the account, new users must authenticate via SSO after accepting the invite.
| Bulk option | Availability | Notes |
|---|---|---|
| CSV import | No | Not documented |
| Domain whitelisting | No | Automatic domain-based user add |
| IdP provisioning | Yes | Paid plans (SSO must be configured first; SCIM provisioning available with Okta, Azure AD/Entra ID, and OneLogin) |
How to remove or deactivate users
- Can delete users: Yes
- Delete/deactivate behavior: Klaviyo allows account Owners and Admins to remove (revoke access for) users from the account. This removes their access immediately. The removed user's Klaviyo account itself is not deleted - they retain their own Klaviyo login but lose access to that specific account. There is no 'deactivate/suspend' state; removal is immediate access revocation.
- Log in as Owner or Admin.
- Navigate to Settings → Users.
- Locate the user to be removed.
- Click the options menu (three dots or 'Remove') next to the user.
- Confirm removal. The user immediately loses access to the account.
| Data impact | Behavior |
|---|---|
| Owned records | Content created by the removed user (campaigns, flows, templates, segments) remains in the account and is not deleted. |
| Shared content | All shared assets (lists, segments, templates, flows) remain intact and accessible to remaining users. |
| Integrations | Integrations configured by the removed user remain active; API keys they created may persist and should be audited separately. |
| License freed | No per-seat license cost exists, so removal does not reduce billing. Billing is based on active profiles, not user count. |
Watch out for:
- Removing a user does not revoke any API keys they may have generated; API keys must be manually audited and revoked separately under Settings → API Keys.
- If the removed user was the sole Owner, the account may become difficult to manage; Klaviyo support must be contacted to reassign ownership.
- SCIM-provisioned users deprovisioned via IDP are removed automatically, but API keys they created are not automatically revoked.
- There is no audit log of user actions visible to standard admins; forensic review of a removed user's activity is limited.
License and seat management
| Seat type | Includes | Cost |
|---|---|---|
| User seat | Unlimited internal users (Owners, Admins, Managers, Analysts, Content Creators) with no per-seat charge. | $0 per seat; pricing is based entirely on active profile count, not user count. |
| Active profiles (Email plan) | Email sending to active profiles; 150 free SMS credits included. | Starting at $20/month for 251–500 active profiles; scales with profile count. |
| Active profiles (Email + SMS plan) | Email and SMS sending; 1,250 SMS credits included at base tier. | Starting at $35/month for 251–500 active profiles; scales with profile count. |
- Where to check usage: Account → Settings → Billing (shows current active profile count and plan tier)
- How to identify unused seats: No native 'last login' or user activity report is available in the standard UI to identify inactive user accounts. Admins must manually review the Users list under Settings → Users.
- Billing notes: As of 2025, Klaviyo bills on total active profiles (contacts who have interacted or been emailed/SMSed within a rolling period), not just contacts emailed in a given month. Existing customers received a 25% price cap on increases during the billing model transition. Adding or removing internal users has no impact on billing.
The cost of manual management
Without automation, every app in your stack demands the same repetitive clicks - and Klaviyo surfaces several friction points that compound at scale. There is no bulk invite via CSV, no last-login visibility to identify dormant accounts, and no audit log accessible to standard admins.
Ownership transfers require contacting Klaviyo support directly, which introduces delays during time-sensitive offboarding. API keys created by removed users are not automatically revoked, leaving a security gap that must be caught and closed manually. Across a team that turns over regularly, these gaps accumulate into real risk.
What IT admins are saying
The most consistent complaints from Klaviyo admins center on permission granularity and offboarding gaps. Admins cannot restrict a Manager to specific lists, segments, or campaigns - access within each role is all-or-nothing.
There is no native way to see when a user last logged in, making routine access reviews a manual headcount exercise. Ownership transfer requiring support contact is a recurring pain point, particularly when a departing employee held the Owner role.
Invitation expiry behavior is also flagged as opaque - invites can expire silently with no admin notification.
Common complaints:
- No granular permissions - users cannot be restricted to specific lists, segments, or campaigns; role access is all-or-nothing within each tier.
- No 'last login' visibility for admins, making it difficult to identify and clean up inactive user accounts.
- Only one Owner role per account; transferring ownership requires contacting Klaviyo support, which causes delays during offboarding.
- Invitation expiry is not clearly communicated; users sometimes report never receiving invites or invites expiring silently.
- API keys created by removed users are not automatically revoked, creating a security gap during offboarding.
- No audit log accessible to admins for reviewing what actions a specific user performed.
- Partner/agency access management is separate from internal user management, causing confusion about who has access to an account.
Community observations (summarized from cited discussions):
- There's no way to restrict a Manager to only see certain lists or campaigns - it's all or nothing. We need more granular permissions for our agency clients. - Klaviyo Community forum, user role permissions thread (paraphrased from multiple posts; exact quote not verified) (https://community.klaviyo.com)
- When our account owner left the company, we had to go through Klaviyo support to get ownership transferred. It took several days and required proof of authorization. - Klaviyo Community forum, account access thread (paraphrased; exact quote not verified) (https://community.klaviyo.com)
The decision
Klaviyo's manual user management is workable for small, stable teams but becomes a liability as headcount or agency access grows. The fixed role model means you cannot scope access narrowly - a Manager sees everything a Manager can see, with no exceptions.
If your team requires granular access control, frequent onboarding and offboarding, or reliable deprovisioning with API key cleanup, manual management will not hold.
SCIM provisioning via Okta, Azure AD, or OneLogin is available on paid plans and resolves the deprovisioning gap, though it requires SSO to be active first and does not automatically revoke API keys on removal.
Bottom line
Klaviyo's user management is straightforward for small teams but lacks the controls - granular permissions, last-login reporting, audit logs, and automated API key revocation - that IT and security teams need at scale.
SCIM provisioning closes the deprovisioning gap but requires a paid plan, active SSO, and a supported IdP. For organizations managing frequent access changes or agency relationships, manual processes introduce meaningful security and compliance risk that automation directly addresses.
Automate Klaviyo workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
