diff --git a/src/tools/app-members.ts b/src/tools/app-members.ts
index 5affb80..9eb1617 100644
--- a/src/tools/app-members.ts
+++ b/src/tools/app-members.ts
@@ -12,7 +12,7 @@ export function registerAppMemberTools(
 ): void {
   server.tool(
     "list_app_members",
-    "List members of an app with usage quota (used/max). For personal (user-owned) apps this lists individual collaborators; for project/workspace (Group) apps it also includes the teams attached to the app.",
+    "List the members of an app. For project/workspace (Group)-owned apps (current plans) this returns individual users plus the teams attached to the app. For legacy user-owned apps it returns individual collaborators plus a usage quota object (used/max seats).",
     { owner_name: ownerArg, platform: platformArg, app_id: appIdArg },
     async (args) => {
       const results = await client.listAppMembers(
@@ -74,7 +74,7 @@ export function registerAppMemberTools(
 
   server.tool(
     "remove_app_shared_team",
-    "Detach a workspace shared team from an app. Only valid for apps in an Enterprise (workspace) organization — returns 400 otherwise. DESTRUCTIVE. The owner team cannot be detached (403). Returns 400 if the shared team is not attached.",
+    "Detach a workspace shared team from an app. Only valid for apps in an Enterprise (workspace) organization — returns 400 otherwise. DESTRUCTIVE. Returns 400 if the shared team is not attached.",
     {
       owner_name: z.string().describe("Project (organization) name"),
       platform: platformArg,
diff --git a/src/tools/workspace-members.ts b/src/tools/workspace-members.ts
index a10e079..43c80f5 100644
--- a/src/tools/workspace-members.ts
+++ b/src/tools/workspace-members.ts
@@ -30,12 +30,12 @@ export function registerWorkspaceMemberTools(
 
   server.tool(
     "add_workspace_member",
-    "Invite/add a member to a workspace (enterprise). Requires a USER API token (not a workspace token). Set role='guest' for a guest member. Returns 400 if already a member, 403 if you lack invite permission or the plan's member seats are exceeded; SSO/flexible workspaces require an email address.",
+    "Invite/add a member to a workspace (enterprise) by email address. Requires workspace invite permission (a workspace API key is also accepted). Returns 400 if already a member, 403 if you lack invite permission or the plan's member seats are exceeded.",
     {
       workspace: workspaceArg,
-      user: z.string().describe("User email or username to add"),
+      user: z.string().describe("Email address of the user to invite (inviting an existing user by username is deprecated)"),
       full_name: z.string().optional().describe("Optional full name for the invitee"),
-      role: z.string().optional().describe("Optional role; use 'guest' to invite a guest member"),
+      role: z.string().optional().describe("Optional role; 'guest' invites a guest member but is available only to certain partner workspaces"),
     },
     async (args) => {
       const results = await client.addWorkspaceMember(args.workspace, args.user, {
@@ -48,7 +48,7 @@ export function registerWorkspaceMemberTools(
 
   server.tool(
     "remove_workspace_member",
-    "Remove a member from a workspace (enterprise) entirely. Requires a USER API token. DESTRUCTIVE. You cannot remove yourself (403); a non-member returns 400.",
+    "Remove a member from a workspace (enterprise) entirely. Requires workspace management permission (a workspace API key is also accepted). DESTRUCTIVE. You cannot remove yourself (403); a non-member returns 400.",
     { workspace: workspaceArg, user: z.string().describe("Member name or email to remove") },
     async (args) => {
       const results = await client.removeWorkspaceMember(args.workspace, args.user);
diff --git a/src/tools/workspace-projects.ts b/src/tools/workspace-projects.ts
index c9472aa..98bf0c0 100644
--- a/src/tools/workspace-projects.ts
+++ b/src/tools/workspace-projects.ts
@@ -21,7 +21,7 @@ export function registerWorkspaceProjectTools(
 
   server.tool(
     "create_project",
-    "Create a new project (organization) in a workspace (enterprise). Requires a USER API token. 'name' must be 3-28 chars (letters/digits/hyphens/underscores, starting and ending with a letter or digit) and GLOBALLY unique (400 if already in use). 'owner_name_or_email' must be an existing workspace member (404 otherwise). 403 if the plan's project limit is exceeded. display_name defaults to name.",
+    "Create a new project (organization) in a workspace (enterprise). Requires workspace management permission (a workspace API key is also accepted). 'name' must be 3-28 chars (letters/digits/hyphens/underscores, starting and ending with a letter or digit) and GLOBALLY unique (400 if already in use). 'owner_name_or_email' must be an existing workspace member (404 otherwise). 403 if the plan's project limit is exceeded. display_name defaults to name.",
     {
       workspace: workspaceArg,
       owner_name_or_email: z.string().describe("Workspace member to set as the project owner (username or email)"),
@@ -52,7 +52,7 @@ export function registerWorkspaceProjectTools(
 
   server.tool(
     "add_project_member",
-    "Add a workspace member to a project (organization) as a direct project member. The user must already be a workspace member (401 otherwise); 403 if you lack permission. This is the project-level membership; to add to a specific team use add_member.",
+    "Add a workspace member to a project (organization) as a direct project member. The user must already be a workspace member (401 otherwise); 403 if you lack permission. This is the project-level membership; to add to a specific team use add_team_member.",
     {
       workspace: workspaceArg,
       project: projectArg,
diff --git a/src/tools/workspace-saml.ts b/src/tools/workspace-saml.ts
index 0fcd1fb..a98973d 100644
--- a/src/tools/workspace-saml.ts
+++ b/src/tools/workspace-saml.ts
@@ -8,7 +8,7 @@ export function registerWorkspaceSamlTools(
 ): void {
   server.tool(
     "update_saml_certificate",
-    "Update a workspace's SAML IdP certificate from a local PEM file. Requires a USER API token with workspace ADMIN permission. CAUTION: uploading an incorrect certificate can break SSO login for the whole workspace. Returns 400 for an invalid certificate file, 403 if not an admin or the plan has expired, 404 if SAML is not configured.",
+    "Update a workspace's SAML IdP certificate from a local PEM file. Requires workspace admin permission (a workspace API key is also accepted). CAUTION: uploading an incorrect certificate can break SSO login for the whole workspace. Returns 400 for an invalid certificate file, 403 if not an admin or the plan has expired, 404 if SAML is not configured.",
     {
       workspace: z.string().describe("Workspace (enterprise) name"),
       file_path: z.string().describe("Local path to the IdP X.509 certificate (PEM) file"),