Leave Localhost logoLeave LocalhostDocs
Reference

Glossary

Definitions for the core terms used across the starter: workspace, capability, grant, sensitive action, super admin, and more.

Shared vocabulary used throughout these docs and the codebase.

TermDefinition
WorkspaceThe user-facing name for an organization — the tenant that owns members, billing, and data. "Workspace" in the UI and "organization" in Better Auth/Convex refer to the same entity. See Workspaces.
OrganizationThe backend term for a workspace, provided by the Better Auth organization plugin.
Personal modeA single-tenant configuration where each user has one implicit workspace and team UI is hidden. See Switching to Personal Mode.
RoleA member's level within a workspace (owner, admin, member, viewer) that decides which actions they may take. See Roles and Permissions.
App permission keyA product-facing authorization check (e.g. organization.update) enforced server-side. See Permissions.
CapabilitySomething a workspace has paid for or been granted (e.g. feature.pro), independent of role. See Capabilities.
GrantA record that a workspace (or user) has access to something — either a billing entitlement or a short-lived sensitive-action approval. See Entitlements and Grants.
PlanAn entry in the provider-neutral billing catalog (free, pro_*) that bundles capabilities. See Billing Plans.
Sensitive actionA dangerous operation gated by step-up verification after login. See Sensitive Action Protection.
Step-up verificationRe-proving identity (fresh session, password, or email code) at the moment of a sensitive action.
Super adminA platform operator (env allow-listed) who can reach /admin, distinct from a workspace owner. See Super-Admin Access.
Audit eventA first-party record of a security-relevant action in audit_events. See Audit Log.
Better AuthThe authentication library powering sign-in, sessions, organizations, and 2FA. See Authentication.
ConvexThe reactive backend platform that hosts the database, functions, and scheduled jobs. See Convex Backend.
ProviderThe billing service in use — Stripe, Polar, or Lemon Squeezy — selected with BILLING_PROVIDER.
EntitlementThe resolved set of capabilities a workspace currently has, derived from its active grants.