Go to /settings/team and click "Invite a client". Enter their email and pick which client of yours they should be scoped to. They receive an email with an accept link that expires in 7 days.
What they get: a login locked at the JWT layer to that single client. The system enforces it on every query — there is no way they can see another client's data even if you accidentally leave a link open.
Roles you can give them: client (read-only), editor (can add comments / documents), auditor (read-only, audit trail view enabled).
Revoking access: /settings/team → find the user → click Disable. The next request fails auth; they're out instantly.