FEATURES

RBAC

Tenant roles (Owner, Admin, Developer, BillingManager, Viewer) and permission keys enforced on every API route.

Overview

Tenant roles (Owner, Admin, Developer, BillingManager, Viewer) and permission keys enforced on every API route.

Who should use this

Security-conscious teams delegating least privilege.

Core concepts

Permissions are strings like api_key.manage. Platform roles are separate for /admin/*.

Setup

Invite members → assign role → optional PATCH /members/{userId} to change role.

Required entitlement

rbac

Required permissions

tenant.members.view, tenant.members.update (Owner/Admin).

REST API

GET /tenants/{tenantId}/members, POST /invitations, PATCH /members/{userId}, POST /rbac/check.

SDK (@startupcore/api-client)

startupCore.organizations.listMembers(tenantId), .updateMemberRole(tenantId, userId, { role }).

React components

<PermissionGate permission="api_key.manage">, <RoleEditor />, <MemberRoleTable onRoleChange={...} />.

Security notes

Backend enforces RBAC even if UI hides buttons.

Troubleshooting

FORBIDDEN — call rbac.check with permissionKey to debug.