RBAC

Role-Based Access Control for members, resources (permission keys), and roles. The same matrix applies to your web app (SDK), Transcodes Auth, and AI agents (transcodes-guard) — the backend is the authority.

Permission model

Each role has a matrix: resource key × CRUD action → level.

Actions (only these four): create · read · update · delete

When you add a resource in Console, every role gets defaults: read = allow (1), create / update / delete = allow + step-up (2).

New projects include a built-in system resource for platform admin operations (Console / MCP).

Console setup

1. Open Transcodes Console  → your project → Authentication Kit Cluster → RBAC.
2. Resources — register keys your app uses (documents, billing, …). Keys: lowercase letters, digits, hyphen.
3. Roles — create roles and set the permission matrix per resource × action.
4. Members — assign each member a role.

Resource keys in code must match Console exactly.

Web app (SDK)

Before a sensitive action, call step-up with the same resource and action strings:

const res = await transcodes.redirectToStepUp({
  resource: 'documents',
  action: 'delete',
});
const gate = res.payload[0];
const ok =
  res.success &&
  (gate?.decision === 'allow' ||
    (gate?.decision === 'stepup' && gate?.status === 'verified'));
if (ok) {
  // proceed
}

See Step-up Auth for the full redirect flow.

AI agents (transcodes-guard)

The agent acts as the member in its saved MAT. That member’s role controls which MCP tools are allowed, denied, or require step-up.

• Save tokens via transcodes CLI  — never paste into chat.
• Use a dedicated low-privilege role (e.g. ai-operator) when possible.
• Platform admin tools map to the system resource on the backend.

See AI Agent overview for install and MCP tools.

Related