Authorization
SkaleData uses a hybrid RBAC + ABAC authorization model:
- RBAC (Role-Based Access Control) — four org-level roles synced from Clerk determine what actions a user can perform.
- ABAC (Attribute-Based Access Control) — API keys use fine-grained scopes to restrict what programmatic clients can do.
How it works
Every API request is authenticated and then authorized:
- User sessions (Clerk JWT) — the org role from the JWT (
o.rol) is checked against a minimum role requirement on each endpoint. - API keys (
sdk_...) — the key’sscopeslist is checked against the required scope for the endpoint.
Roles follow a strict hierarchy: owner > admin > operator > viewer. If an endpoint requires operator, then admin and owner also have access.
Quick reference
| Role | Can do |
|---|---|
| Owner | Everything, including billing and org settings |
| Admin | Manage clusters, clouds, node pools, API keys, GitHub integration |
| Operator | Deploy images, sync DAGs, restart apps, terminal access |
| Viewer | Read-only access to all resources |
See Roles & Permissions for the full permission matrix and API Key Scopes for scope details.
Last updated on