Permissions
The full list of app permission keys, the Better Auth statement each requires, the capabilities it needs, and any resource policy it enforces.
App permission keys are the product-facing authorization checks enforced by
requireAppPermission / canAppPermission in Convex. Each key maps a business
action to its allowed roles, a Better Auth statement, optional billing
capabilities, and an optional resource policy. The
single source of truth is packages/backend/convex/permissions/policy.ts.
For the concepts and how to add one, see Roles and Permissions.
App permission keys
| Permission | Roles | Better Auth statement | Capabilities | Resource policy |
|---|---|---|---|---|
organization.read | owner, admin, member, viewer | organization: read | — | — |
organization.update | owner, admin | organization: update | — | organizationMustBeActive |
organization.delete | owner | organization: delete | — | organizationMustBeActive |
member.read | owner, admin, member, viewer | member: read | — | — |
invitation.read | owner, admin | invitation: read | — | — |
invitation.cancel | owner, admin | invitation: cancel | — | — |
member.invite | owner, admin | member: create, invitation: create | workspace.members.invite | memberLimitNotExceeded |
member.updateRole | owner, admin | member: update | — | cannotModifyOwnerUnlessOwner |
member.remove | owner, admin | member: delete | — | cannotRemoveLastOwner |
billing.read | owner, admin | billing: read | — | — |
billing.manage | owner | billing: manage | — | — |
feature.pro.use | owner, admin, member | feature: pro.use | feature.pro | — |
workspace.records.read | owner, admin, member, viewer | workspaceRecord: read | — | — |
workspace.records.create | owner, admin | workspaceRecord: create | — | — |
workspace.records.update | owner, admin | workspaceRecord: update | — | — |
workspace.records.delete | owner, admin | workspaceRecord: delete | — | — |
Resource policies
Context-aware checks applied on top of the role check (defined in
permissions/resourcePolicies.ts):
| Policy | Guards against |
|---|---|
organizationMustBeActive | Acting on a suspended or deleted workspace. |
memberLimitNotExceeded | Inviting past the workspace's plan member limit. |
cannotModifyOwnerUnlessOwner | An admin changing an owner's role. |
cannotRemoveLastOwner | Removing the only owner of a workspace. |
Roles
The catalog derives the owner, admin, member, and viewer Better Auth
roles in auth/organizationAccess.ts. See the
Roles and Permissions table.