Billing Issues for invitation

When we would like to invite others in our organization into our corporate account, according to the website, our admin sends out a invitation to the user, and when the user sees the invite, they click on the link to register.

However, we found that when the user clicks on the link, a credit card transaction would immediately occur without the approval from the account admin. That would be ok if the link is one time used, however, it is not. If the invitation link were leaked as it was not supposed to, anyone inside or outside of the organization could register under us and a credit card transaction would immediately occur.

We hope that maybe you can provide us a solution to better manage our account, for instance, a approval string that limits people from signing up beyond control, or, create one time invitation links that are dedicated when signing up with the invitee’s email address.

Looking forward for your reply and solution for the issue. @ericzakariasson

hey! for stricter access control, we recommend either setting up sso or domain verification. feedback noted, let me know if there are any specific use cases!

Thank you for your reply Eric. I did not make the situation clear enough in my original post. The case is “Our company use SSO and domain verification. However, some coworkers who we don’t think should have access to Cursor because they are not engineers can click on the link and immediately be counted as users without the approval from the account admin.” anyone inside or outside of the organization could register under us and a credit card transaction would immediately occur. this is what we are concerned about.

In short, I think there should be limitation added to the invitation link say expires after one click. Or at least for the billing part. You could charge the credit card later. For example, we review the “real user” and remove the rest per three days. Not charging us based on how many people get invited to our group even though most of them did not type a line of code.

Or is there a way to invalidate the current link? it seems that this link is the only link and lives forever? most sites have a way to reset the link so the old one no longer work or it is limited to time frame?

thanks for clarification @HuangruiChu! as of now, there’s no way to invalidate the links.

anyone inside or outside

if SSO is enabled, no one outside the organization should be able to register! if that’s the case, please let me know and we’ll investigate!

Due to our company’s security access policies, we are unable to configure SSO for external domains. Therefore, we urgently need to restrict the member invitation feature exclusively to administrators.

here’s my dumb way but it worked.
gist: Automatically remove members from Cursor team settings page whose email doesn't match your organization's domain. · GitHub

1. Install the Script in Tampermonkey:

• Click on the Tampermonkey icon in your browser
• Select “Create a new script”
• Copy and paste the entire script code
• Click File → Save or press Ctrl+S (Cmd+S on Mac)

2. Configure the Script:

• Locate this line in the code:
  const ALLOWED_EMAIL_DOMAIN = "@yourdomain.com"; // Replace with your organization's email domain

Here’s how it works

1. Navigate to Settings | Cursor - The AI Code Editor
2. The script will automatically:

• Scan all team members
• Identify members whose email addresses don’t match your specified domain
• Automatically remove those members
• Refresh the page every minute (or your configured interval) to check for new members

3. Never close the browser tab

You can adjust the script to meet your requirements.