FEATURES
RBAC
Tenant roles (Owner, Admin, Developer, BillingManager, Viewer) and permission keys enforced on every API route.
Overview
Tenant roles (Owner, Admin, Developer, BillingManager, Viewer) and permission keys enforced on every API route.
Who should use this
Security-conscious teams delegating least privilege.
Core concepts
Permissions are strings like api_key.manage. Platform roles are separate for /admin/*.
Setup
Invite members → assign role → optional PATCH /members/{userId} to change role.
Required entitlement
rbac
Required permissions
tenant.members.view, tenant.members.update (Owner/Admin).
REST API
GET /tenants/{tenantId}/members, POST /invitations, PATCH /members/{userId}, POST /rbac/check.
SDK (@startupcore/api-client)
startupCore.organizations.listMembers(tenantId), .updateMemberRole(tenantId, userId, { role }).
React components
<PermissionGate permission="api_key.manage">, <RoleEditor />, <MemberRoleTable onRoleChange={...} />.
Security notes
Backend enforces RBAC even if UI hides buttons.
Troubleshooting
FORBIDDEN — call rbac.check with permissionKey to debug.