Workspace access control

Keep technical, billing, and member actions inside one authorized workspace

ThrottleProxy enforces active membership, role permissions, and workspace IDs on the server. Owners, Admins, Developers, Billing users, and Viewers receive different capabilities, while platform administration remains a separate boundary.

Server enforcedTenant scopedAudited

Practical boundaries

Authorization must follow the object all the way to mutation

Resolve the active workspace

Derive workspace context from the authenticated session and active membership.

Require an active role

Suspended memberships and non-members fail closed before protected work.

Check the permission

Map each route action to a server-side permission rather than relying on hidden buttons.

Scope the query

Include workspace_id in the actual select, update, or deactivate query.

Protect ownership

Prevent role changes or removals that would leave a workspace without an active Owner.

Record bounded audit events

Capture reviewed event types and sanitized metadata without secrets.

Good fit

  • Teams collaborating on keys, destinations, support, and billing.
  • Organizations that need separate technical and billing responsibility.
  • Workspaces that need invitation and member activity visibility.

Not a replacement for

  • Cross-workspace administration by ordinary customer roles.
  • A substitute for platform-admin authorization.
  • Client-side-only permission enforcement.

Common questions

Can an Admin delete the last Owner?

No. Owner protection is transactional and prevents an ownerless workspace state.

Can a Billing member manage API keys?

No. Billing access is separate from technical key and destination management.

Does platform admin equal workspace Owner?

No. Platform administration and workspace roles are intentionally separate authorization boundaries.

Start with one narrow integration

Use one workspace key, one exact public host, and non-sensitive test traffic.

Open quick start