Reference
Glossary
Definitions for the core terms used across the starter: workspace, capability, grant, sensitive action, super admin, and more.
Shared vocabulary used throughout these docs and the codebase.
| Term | Definition |
|---|---|
| Workspace | The user-facing name for an organization — the tenant that owns members, billing, and data. "Workspace" in the UI and "organization" in Better Auth/Convex refer to the same entity. See Workspaces. |
| Organization | The backend term for a workspace, provided by the Better Auth organization plugin. |
| Personal mode | A single-tenant configuration where each user has one implicit workspace and team UI is hidden. See Switching to Personal Mode. |
| Role | A member's level within a workspace (owner, admin, member, viewer) that decides which actions they may take. See Roles and Permissions. |
| App permission key | A product-facing authorization check (e.g. organization.update) enforced server-side. See Permissions. |
| Capability | Something a workspace has paid for or been granted (e.g. feature.pro), independent of role. See Capabilities. |
| Grant | A record that a workspace (or user) has access to something — either a billing entitlement or a short-lived sensitive-action approval. See Entitlements and Grants. |
| Plan | An entry in the provider-neutral billing catalog (free, pro_*) that bundles capabilities. See Billing Plans. |
| Sensitive action | A dangerous operation gated by step-up verification after login. See Sensitive Action Protection. |
| Step-up verification | Re-proving identity (fresh session, password, or email code) at the moment of a sensitive action. |
| Super admin | A platform operator (env allow-listed) who can reach /admin, distinct from a workspace owner. See Super-Admin Access. |
| Audit event | A first-party record of a security-relevant action in audit_events. See Audit Log. |
| Better Auth | The authentication library powering sign-in, sessions, organizations, and 2FA. See Authentication. |
| Convex | The reactive backend platform that hosts the database, functions, and scheduled jobs. See Convex Backend. |
| Provider | The billing service in use — Stripe, Polar, or Lemon Squeezy — selected with BILLING_PROVIDER. |
| Entitlement | The resolved set of capabilities a workspace currently has, derived from its active grants. |