Hetzner Multi-Account Rules: A Beginner’s Guide

Introduction

Managing several projects on Hetzner? A multi‑account setup lets you separate billing, permissions, and resources while keeping everything under one roof. This guide walks you through the essential rules, best practices, and common pitfalls of Hetzner multi‑account management.

Why Use Multiple Accounts?

• Clear Billing – Assign costs to specific departments or clients.
• Access Control – Grant team members only the permissions they need.
• Resource Isolation – Prevent one project from accidentally affecting another.

Key Rules for Hetzner Multi‑Account Setups

1. One Root Account per Organization

The root (or "main") account should be owned by a trusted administrator. This account creates and links sub‑accounts, but never mixes personal projects with business workloads.

2. Use Sub‑Accounts for Every Distinct Entity

Create a separate sub‑account for each client, department, or major project. Each sub‑account receives its own API token, SSH keys, and optional two‑factor authentication.

3. Enforce Strong Permissions

• Assign the read‑only role to auditors.
• Grant operator rights only to staff who need to manage servers.
• Reserve owner privileges for senior engineers.

4. Keep Billing Information Isolated

Enter a unique payment method for each sub‑account. This prevents a single failed payment from affecting unrelated projects.

5. Tag Resources Consistently

Use labels such as project=website‑redesign or env=staging. Tags make automated cost reports and monitoring scripts much easier.

6. Automate Account Provisioning

Leverage Hetzner’s API to create new sub‑accounts programmatically. Combine the API with an Infrastructure‑as‑Code tool (e.g., Terraform) to spin up servers, firewalls, and DNS zones instantly.

Step‑by‑Step: Setting Up a New Sub‑Account

1. Log in to the root account dashboard.
2. Navigate to Accounts → Sub‑accounts and click Create new sub‑account.
3. Enter the name, email, and select a payment method.
4. Choose the desired role (owner, operator, or read‑only).
5. Save and send the invitation. The new user accepts the email link and sets up 2FA.
6. Generate an API token for the sub‑account if automation is required.

Common Mistakes to Avoid

• Sharing API tokens across accounts – always generate a unique token per sub‑account.
• Neglecting 2FA – it’s the simplest way to prevent unauthorized access.
• Using the root credit card for all sub‑accounts – separate billing avoids surprise charges.
• Ignoring tags – without tags, tracking costs per project becomes a manual nightmare.

FAQ

Can I move a server from one sub‑account to another?

Yes. Use the Hetzner console to detach the server, then re‑attach it under the target sub‑account. Remember to update any associated API tokens.

What happens to existing resources when I delete a sub‑account?

All resources owned by that sub‑account are terminated. Export any data first, or migrate it to another account.

Is there a limit to the number of sub‑accounts?

Hetzner currently allows up to 100 sub‑accounts per root account, which is ample for most agencies.

Do sub‑accounts share network zones?

Network zones (VLANs, firewalls) are global. You can restrict access by configuring firewall rules per sub‑account.

How can I get a cost report per sub‑account?

Enable the "Monthly Billing" export in the dashboard. The CSV includes a column for the sub‑account ID, allowing you to segment costs in Excel or a BI tool.

Conclusion

Following Hetzner’s multi‑account rules helps you maintain clean billing, precise permissions, and isolated resources. By setting up a dedicated root account, creating sub‑accounts for every logical unit, and automating provisioning, you’ll scale confidently while keeping security and cost control in check.

Call to Action

Ready to streamline your Hetzner environment? Start by auditing your current accounts, then apply the rules above. Need help with automation? Contact our cloud experts today for a free consultation.