Skip to contentSkip to navigation

Roles

Use built-in organisation roles and permission checks.

Overview

Own Auth ships with three built-in roles:

RoleDescription
ownerFull control. Can manage members, change roles, update the organisation, and delete it.
adminCan manage members and update the organisation. Cannot change roles or delete the organisation.
memberBasic access. Cannot manage members or update the organisation.

These roles are fixed in the MVP. Custom roles with granular permissions are planned for a future release.

What each role can do

PermissionOwnerAdminMember
Update organisationYesYesNo
Delete organisationYesNoNo
Invite membersYesYesNo
Remove membersYesYesNo
Change member rolesYesNoNo
View membersYesYesYes
View audit eventsYesYesNo
Manage sessionsYesYesNo
Manage API keysYesYesNo

Only owners can change roles or remove another owner. Admins can invite and remove non-owner members. The last owner cannot be demoted or removed.

Own Auth's organisation methods check these permissions internally. Use the helpers below when protecting organisation-specific actions in the surrounding application.

Check A Permission

Use checkPermission when the application handles a denied action itself.

ts
const allowed = await auth.checkPermission(
  organisationId,
  currentUser.id,
  "invite_members",
);

Require A Permission

Use requirePermission when the action must stop immediately. It returns the active membership when allowed and throws permission_denied otherwise.

ts
const membership = await auth.requirePermission(
  organisationId,
  currentUser.id,
  "manage_api_keys",
);

Permission checks require an active membership. Removed or unknown members are denied.

Next step

Learn about Invites to bring new members in by email, or add API keys for programmatic access.