Workspace

Permissions Reference

Every dashboard action maps to a named permission. A permission is granted when the caller's workspace role or their application role on the target application satisfies the rule — whichever axis applies first wins. See Team management for how roles are assigned.

Permissions gate humans; scopes gate API keys
This page describes role-based permissions (RBAC) — the rules that gate human users authenticating with a Clerk session in the dashboard. They are a separate system from API key scopes, which gate machine-to-machine calls made with an sk_ / pk_ key. A Clerk caller carries the wildcard scope and is gated purely by these permissions; an API-key caller is gated purely by its scopes and never by RBAC. The two systems compose; neither replaces the other.

How permission checks work

For each request Throttle resolves two values from the auth context: the caller's workspace-level role (owner | workspace_admin | none) and their application-level role on the specific application being acted on (admin | developer | finance | viewer | none). A permission is granted if either role set contains the caller.

Workspace roles are implicitly elevated
owner and workspace_admin satisfy most application-level permissions without needing an explicit per-application role. They act as supersets of any application role on any application in the workspace.
Environment grants are a separate gate
Roles answer “can this person perform the action?” Environment grants answer “can this person use the selected workspace environment?” A caller must pass both checks. Requests outside the member's environment grant return 403 member_env_forbidden.

The permission check is exposed at GET /api/v1/auth/permissions. The response lists every permission key and whether it resolves to true for the authenticated caller, optionally scoped to a specific application via the x-application-id header.

Permission catalog

The table below lists every permission string, which workspace roles satisfy it, and which application roles satisfy it. A dash (—) means that role axis is not checked for that permission.

PermissionWorkspace rolesApplication roles
workspace:deleteowner
workspace:transferowner
workspace:billingowner
workspace:invite-adminowner
workspace:settingsowner, workspace_admin
workspace:inviteowner, workspace_adminadmin
workspace:edit-memberowner, workspace_admin
workspace:remove-memberowner, workspace_admin
workspace:read-teamowner, workspace_admin, member
application:settingsowner, workspace_adminadmin
application:api-keysowner, workspace_adminadmin, developer
application:webhooksowner, workspace_adminadmin, developer
application:customers:writeowner, workspace_adminadmin, developer
application:customers:readowner, workspace_adminadmin, developer, finance, viewer
application:orders:writeowner, workspace_adminadmin, developer
application:orders:readowner, workspace_adminadmin, developer, finance, viewer
application:refunds:issueowner, workspace_adminadmin, developer, finance
application:payments:readowner, workspace_adminadmin, developer, finance, viewer
application:edit-app-memberowner, workspace_adminadmin
application:extensions:readowner, workspace_adminadmin, developer, finance, viewer
application:extensions:writeowner, workspace_adminadmin, developer
application:extensions:installowner, workspace_adminadmin, developer
application:extensions:adminowner, workspace_adminadmin

Permission scope notes

Workspace-only permissions

  • workspace:delete, workspace:transfer, workspace:billing, and workspace:invite-admin are exclusively for the owner. No application role satisfies these.
  • workspace:settings covers workspace branding, sender domains, and workspace-scoped email settings.
  • workspace:edit-member and workspace:remove-member require workspace_admin or above; no application role grants them.

Read vs write split

  • The finance role sees customers, orders, and payments but cannot write to customers or orders. It can issue refunds.
  • The viewer role is fully read-only. It cannot issue refunds or perform any write action.
  • The developer role is the same as finance plus write access to customers and orders, and access to API keys and webhooks.

Check permissions at runtime

Call GET /api/v1/auth/permissions with a Clerk JWT. Pass x-application-id to resolve application-level role flags for a specific application. The response shape is:

{
  "workspaceRole": "workspace_admin",
  "appRole": "developer",
  "permissions": {
    "workspace:delete": false,
    "workspace:invite": true,
    "application:api-keys": true,
    "application:customers:write": true,
    ...
  }
}
Build UI conditionals from this endpoint
The dashboard uses this response to show or hide actions in the UI. Call it once on page load and cache client-side for the session duration.