Leave Localhost logoLeave LocalhostDocs
Reference

Permissions

The full list of app permission keys, the Better Auth statement each requires, the capabilities it needs, and any resource policy it enforces.

App permission keys are the product-facing authorization checks enforced by requireAppPermission / canAppPermission in Convex. Each key maps a business action to its allowed roles, a Better Auth statement, optional billing capabilities, and an optional resource policy. The single source of truth is packages/backend/convex/permissions/policy.ts.

For the concepts and how to add one, see Roles and Permissions.

App permission keys

PermissionRolesBetter Auth statementCapabilitiesResource policy
organization.readowner, admin, member, viewerorganization: read
organization.updateowner, adminorganization: updateorganizationMustBeActive
organization.deleteownerorganization: deleteorganizationMustBeActive
member.readowner, admin, member, viewermember: read
invitation.readowner, admininvitation: read
invitation.cancelowner, admininvitation: cancel
member.inviteowner, adminmember: create, invitation: createworkspace.members.invitememberLimitNotExceeded
member.updateRoleowner, adminmember: updatecannotModifyOwnerUnlessOwner
member.removeowner, adminmember: deletecannotRemoveLastOwner
billing.readowner, adminbilling: read
billing.manageownerbilling: manage
feature.pro.useowner, admin, memberfeature: pro.usefeature.pro
workspace.records.readowner, admin, member, viewerworkspaceRecord: read
workspace.records.createowner, adminworkspaceRecord: create
workspace.records.updateowner, adminworkspaceRecord: update
workspace.records.deleteowner, adminworkspaceRecord: delete

Resource policies

Context-aware checks applied on top of the role check (defined in permissions/resourcePolicies.ts):

PolicyGuards against
organizationMustBeActiveActing on a suspended or deleted workspace.
memberLimitNotExceededInviting past the workspace's plan member limit.
cannotModifyOwnerUnlessOwnerAn admin changing an owner's role.
cannotRemoveLastOwnerRemoving the only owner of a workspace.

Roles

The catalog derives the owner, admin, member, and viewer Better Auth roles in auth/organizationAccess.ts. See the Roles and Permissions table.

On this page