Access, Billing, and Limits
This guide documents how frontend RBAC, invitation access, subscription upgrades, and plan limits work in Sekuire Cloud.
Organization RBAC
Role-based access applies to invitation and billing workflows:
| Action | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| Invite users | Yes | Yes | No | No |
| Bulk invite users | Yes | Yes | No | No |
| Change workspace access for members | Yes | Yes | No | No |
| Start checkout / upgrade plan | Yes | Yes | No | No |
| Cancel subscription | Yes | Yes | No | No |
| Update enterprise retention policy | Yes | Yes | No | No |
| View subscription usage | Yes | Yes | Yes | Yes |
Frontend routes enforce this behavior in both apps:
/dashboard/invitations/dashboard/invitations/new/dashboard/invitations/bulk/dashboard/organizations/:orgId/invite/dashboard/organizations/:orgId/members/:memberId/workspaces/dashboard/enterprise/subscription
Backend APIs also enforce owner/admin checks for billing and admin checks for invitation management, so unauthorized UI bypasses are rejected server-side.
Invited Users and Workspace RBAC
Invitations can include:
workspace_accessworkspace_permissions(can_create_agents,can_modify_policies,can_invite_users,can_view_analytics)
On acceptance, workspace memberships are provisioned based on invitation metadata. This gives invited users scoped workspace access instead of broad organization-level access.
Plan Limits
Plan usage is surfaced in subscription UI and API for:
- Users
- Workspaces
- Managed agents
When limits are reached or a feature is outside the current tier, API returns HTTP 402 Payment Required with the stable contract:
errormessagecoderequired_planupgrade_url- optional
current_usage
Prompt/request volume is not currently billed or plan-capped at the subscription layer. For runtime control of request/prompt volume, use workspace policy rate limits.
Stripe Checkout and Upgrades
Upgrade flows use Stripe Checkout and are available from /dashboard/enterprise/subscription for owners/admins.
Required environment variables:
STRIPE_SECRET_KEYSTRIPE_WEBHOOK_SECRET
Required webhook endpoint:
POST /webhooks/stripe
Webhook signatures are validated against Stripe-Signature using HMAC-SHA256 and a 5-minute timestamp tolerance.
Go-Live Checklist
Before enabling paid upgrades in production:
- Set
STRIPE_SECRET_KEYandSTRIPE_WEBHOOK_SECRETin runtime. - Configure Stripe webhook endpoint to call
/webhooks/stripe. - Use production HTTPS success/cancel URLs for checkout redirect.
- Verify an end-to-end upgrade from Free -> Starter/Professional/Enterprise.
- Verify cancellation path and post-cancel UI state.
- Confirm plan-limit 402 behavior for Starter/Professional/Enterprise boundaries.