Role-Based Access Control

Govern AI access from org to key

Control exactly who can use which models, how much they can spend, and for how long-with organization roles, project roles, and permission-aware API keys built into FastRouter.

Get started for freeBook a demo

No credit card required · Free to start

Access overview

Organization

FastRouter AI

Owner

Production

Project Admin

8 keys · $2k budget

Sandbox

Project Member

3 keys · $200 budget

sk-fr••••4f2a

Production · scoped user key

$200/mo 60 RPM 4 models 30d
Why FastRouter RBAC

Governance that maps to how AI teams build

Set access once at the organization level, delegate to project admins, and let builders move fast inside safe, scoped boundaries.

Two-tier role model

Organization Owners and Members pair with Project Admins and Project Members, so access maps to how your teams actually work.

Permission-aware API keys

Every key is tied to a user and inherits their project permissions-self-service for builders, fully governed for admins.

Layered spend & rate controls

Set budgets, TPM, and RPM at the project level, then add tighter caps, expiry, and logging rules on each key.

Access hierarchy

Permissions cascade from org to project to key

FastRouter separates company-wide ownership, project-level collaboration, and runtime key controls so every permission has a clear, predictable boundary.

Organization

Company-wide control

OwnerMember
  • Owners manage billing, members, projects, keys, settings, and integrations.
  • Members only operate inside projects they are invited to.

Project

Team & workload boundary

Project AdminProject Member
  • Admins manage project settings, members, and API keys.
  • Members create personal keys within granted permissions.

User API key

Scoped runtime access

ModelsBudgetRate limitsExpiry
  • Keys inherit the creator's project permissions.
  • Each key is capped by spend, TPM, RPM, expiry, and logging.
Organization roles

Owners govern, members operate

Organization-level roles draw the outer boundary of access. Owners run the control plane; members are limited to the projects they're invited to.

Owner

Full administrative control over billing, members, projects, API keys, settings, and integrations.

Member

Scoped strictly to assigned projects-no access to organization settings, billing, or user management.

Multiple owners

Add more than one owner for redundancy and shared administration as your team grows.

Organization members

+ Invite
Projects

Give every team and workload its own boundary

Each project is independently configurable-its own models, rate limits, budget, members, and keys-so workloads stay cleanly separated.

Project Admin

Manage project settings, invite members, and administer every API key inside the project.

Project Member

Create and manage personal API keys based on the permissions they've been granted.

Project guardrails

Set accessible models, tokens-per-minute, requests-per-minute, and an optional budget cap per project.

Production

Active
Models
GPT-5.5Claude Opus 4.8+6
Tokens / min
120,000
Requests / min
600
Monthly budget$1,240 / $2,000
Keys & settings

Every key is scoped to a person and a policy

API keys are user-linked and permission-aware. Builders self-serve while admins keep budgets, model access, limits, and logging aligned to risk.

Budget & reset

Cap maximum spend per key with daily, weekly, or monthly resets-or leave it unlimited.

Rate & model limits

Restrict accessible models and set per-key TPM and RPM that always stay within the project caps.

Expiry & private logging

Schedule automatic key expiration and disable content logging for keys that handle sensitive data.

New user API key

Max spend$200 / monthly
TPM20k
RPM60
Models4 selected
Expiresin 30 days
Disable content logging
Permissions matrix

Exactly who can do what

A clear breakdown of permissions across projects, API keys, and organization-level controls-so there's never any ambiguity about who can do what.

Feature comparison matrix
PermissionOrg OwnerProject Admin+ Org memberProject Member+ Org memberOrg MemberNo project
Projects
Create projectsIncludedNot includedNot includedNot included
View projectIncludedIncludedOwn onlyIncludedOwn onlyNot included
Edit project settingsIncludedIncludedNot includedNot included
Delete projectIncludedNot includedNot includedNot included
Project members
View project membersIncludedIncludedNot includedNot included
Add project membersIncludedIncludedNot includedNot included
Edit member rolesIncludedIncludedNot includedNot included
API keys
Create & manage own keysIncludedIncludedIncludedNot included
Manage all keys in a projectIncludedIncludedNot includedNot included
Manage keys across all projectsIncludedNot includedNot includedNot included
Organization controls
Billing & creditsIncludedNot includedNot includedNot included
Manage organization membersIncludedNot includedNot includedNot included
External keys (BYOK)IncludedNot includedNot includedNot included
Virtual modelsIncludedNot includedNot includedNot included
MCP serversIncludedNot includedNot includedNot included
Prompt managementIncludedNot includedNot includedNot included

Organization Owners are automatically Project Admins on every project. “Own only” = projects the member has been added to.

Built for AI operations

Make the secure path the easy path

RBAC works best when it removes friction. FastRouter combines org ownership, project membership, and key-level controls so teams ship without loose shared credentials.

Separate every environment

Isolate production, staging, and experimental traffic into distinct projects-no shared credentials across workloads.

Make spend predictable

Give finance project-level budgets and per-key caps while engineering keeps day-to-day velocity.

Onboard contractors safely

Invite temporary teammates with project-only access and API keys that expire automatically.

Govern agents & integrations

Keep agent, MCP, and application workflows inside approved project permissions and model scopes.

FAQ

Answers for security & platform teams

FastRouter has two organization-level roles-Owner and Member-and two project-level roles-Project Admin and Project Member. Organization Members get their effective permissions from the project roles they're assigned, which keeps access granular without complex policy configuration.

Owners have full administrative control: managing billing and subscriptions, adding or removing members, accessing and administering every project, creating keys across the organization, and configuring global settings and integrations. Members are limited to the projects they're invited to and cannot change organization-wide settings, billing, or user access.

A Project Admin manages the project's settings, members, and all of its API keys. A Project Member can create and manage their own personal API keys based on the permissions they've been granted, but cannot edit project settings or manage other members. Organization Owners are automatically Project Admins on every project.

No. Organization Members operate strictly within the projects they're explicitly invited to and only inherit their assigned project permissions. A member with no access to a given project cannot view it, its members, or its keys.

Projects set the outer boundary with accessible models, tokens-per-minute, requests-per-minute, and an optional budget cap. Individual user keys can then add their own tighter limits-maximum spend with daily, weekly, or monthly resets, plus TPM and RPM-that always stay within the parent project's caps.

Organization-wide setup stays with Owners: billing and credits, managing organization members, external provider keys (BYOK), virtual models, MCP servers, and prompt management. Project Admins and Project Members work inside their projects-managing project settings, members, and API keys-but can't change these organization-level controls.

Set the right permissions from day one

Spin up projects, invite your team with scoped roles, and issue governed keys with budgets, limits, and expiry in minutes.

Get started for freeTalk to us