RBAC & Licensing
Roles
Builder has a hierarchical RBAC system with five built-in roles:
| Role | Description |
|---|---|
viewer | Read-only access to projects and outputs |
developer | Can run builds and use the IDE |
lead | Developer + approve promotions, manage team members |
admin | Lead + manage users, roles, and platform config |
super_admin | Full access including licensing and system config |
Roles inherit downward — admin has all lead permissions, lead has all developer permissions, and so on.
Managing users
bash
# List users
GET /api/admin/users?role=developer
# Create a user
POST /api/admin/users
{ "email": "dev@example.com", "role": "developer" }
# Update role
PATCH /api/admin/users/{user_id}
{ "role": "lead" }
# Deactivate
DELETE /api/admin/users/{user_id}Custom roles
bash
POST /api/admin/roles
{
"name": "qa-engineer",
"description": "Can run builds and view quality reports but cannot promote",
"permissions": ["build:run", "build:view", "quality:view"]
}API keys
Users can generate API keys for CI/CD and programmatic access:
bash
POST /api/admin/api-keys
{ "name": "ci-pipeline", "role": "developer", "expires_at": "2027-01-01" }Include the key as a Bearer token: Authorization: Bearer pk_...
Licensing tiers
| Tier | Pipeline runs/hr | Copilot req/min | Production deploys |
|---|---|---|---|
| Community | 5 | 20 | ❌ |
| Professional | 50 | 120 | ✅ |
| Enterprise | Unlimited | Unlimited | ✅ |
bash
# Check current tier and limits
GET /api/licensing/usage-limits
# Check if a feature is enabled
GET /api/licensing/check-feature?feature=production_deploy
# Check if you can deploy to production
GET /api/licensing/can-deploy