documenso-enterprise-rbac
Configure Documenso enterprise role-based access control and team management. Use when implementing team permissions, configuring organizational roles, or setting up enterprise access controls. Trigger with phrases like "documenso RBAC", "documenso teams", "documenso permissions", "documenso enterprise", "documenso roles".
Install
mkdir -p .claude/skills/documenso-enterprise-rbac && curl -L -o skill.zip "https://mcp.directory/api/skills/download/4763" && unzip -o skill.zip -d .claude/skills/documenso-enterprise-rbac && rm skill.zipInstalls to .claude/skills/documenso-enterprise-rbac
About this skill
Documenso Enterprise RBAC
Overview
Configure team-based access control and enterprise features in Documenso. The Team plan enables multi-user collaboration with shared documents. Enterprise adds SSO (OIDC), audit logging, and organization-level management.
Prerequisites
- Documenso Team or Enterprise plan
- Understanding of RBAC concepts
- For SSO: OIDC-compatible identity provider (Okta, Azure AD, Google Workspace, Auth0)
Documenso Team Model
Organization
├── Team A
│ ├── Owner (full control)
│ ├── Admin (manage members, settings)
│ └── Member (create, view, sign team documents)
├── Team B
│ └── ...
└── Personal Accounts (separate from teams)
Key concepts:
- Teams are separate from personal accounts -- team documents are owned by the team
- Team API keys access all team documents; personal keys only access personal documents
- Each team member can have Owner, Admin, or Member role
- Unlimited teams and users on Team/Enterprise plans (early adopter pricing)
Instructions
Step 1: Team API Key Scoping
import { Documenso } from "@documenso/sdk-typescript";
// Personal key: only YOUR documents
const personalClient = new Documenso({
apiKey: process.env.DOCUMENSO_PERSONAL_KEY!,
});
// Team key: all documents in the team
const teamClient = new Documenso({
apiKey: process.env.DOCUMENSO_TEAM_KEY!,
});
// Common mistake: using personal key for team operations
// Results in 403 Forbidden on team resources
Step 2: Application-Level RBAC
Documenso handles team membership internally. For finer-grained control in your app, implement an authorization layer:
// src/auth/documenso-rbac.ts
type Role = "viewer" | "editor" | "admin" | "owner";
interface TeamMember {
userId: string;
teamId: string;
role: Role;
}
const PERMISSIONS: Record<Role, string[]> = {
viewer: ["documents:read"],
editor: ["documents:read", "documents:create", "documents:send"],
admin: ["documents:read", "documents:create", "documents:send", "documents:delete", "members:manage"],
owner: ["documents:read", "documents:create", "documents:send", "documents:delete", "members:manage", "team:settings", "team:billing"],
};
function hasPermission(member: TeamMember, permission: string): boolean {
return PERMISSIONS[member.role]?.includes(permission) ?? false;
}
// Middleware
function requirePermission(permission: string) {
return (req: Request, res: Response, next: NextFunction) => {
const member = req.teamMember; // Set by auth middleware
if (!hasPermission(member, permission)) {
return res.status(403).json({
error: "Forbidden",
required: permission,
userRole: member.role,
});
}
next();
};
}
// Usage
app.delete("/api/documents/:id",
requirePermission("documents:delete"),
async (req, res) => {
await teamClient.documents.deleteV0(parseInt(req.params.id));
res.json({ deleted: true });
}
);
Step 3: Enterprise SSO Configuration
Documenso Enterprise supports SSO via OIDC. Configuration is done in the admin panel:
SSO Setup (Enterprise only):
1. Navigate to Organization Settings > SSO
2. Select your OIDC provider
3. Enter:
- Client ID (from your IdP)
- Client Secret (from your IdP)
- Issuer URL (e.g., https://login.microsoftonline.com/{tenant}/v2.0)
4. Configure redirect URI in your IdP:
https://sign.yourcompany.com/api/auth/callback/oidc
5. Test with a non-admin user first
Supported providers:
- Google Workspace
- Microsoft Entra ID (Azure AD)
- Okta
- Auth0
- Any OIDC-compliant provider
Once enabled, team members sign in via:
https://sign.yourcompany.com/sso/{organization-slug}
Step 4: Audit Logging (Enterprise)
Enterprise includes built-in audit logging. For additional application-level auditing:
// src/audit/documenso-audit.ts
interface AuditEntry {
timestamp: string;
userId: string;
teamId: string;
action: string;
resourceType: "document" | "template" | "team" | "member";
resourceId: string;
metadata: Record<string, any>;
}
async function auditLog(entry: Omit<AuditEntry, "timestamp">) {
const log: AuditEntry = {
...entry,
timestamp: new Date().toISOString(),
};
// Write to your audit store (database, CloudWatch, etc.)
console.log(JSON.stringify(log));
// Example: document sent
// { action: "document.send", resourceType: "document",
// resourceId: "42", userId: "user_123", teamId: "team_456" }
}
// Wrap Documenso operations with audit logging
async function sendDocumentAudited(
client: Documenso,
documentId: number,
userId: string,
teamId: string
) {
await client.documents.sendV0(documentId);
await auditLog({
userId,
teamId,
action: "document.send",
resourceType: "document",
resourceId: String(documentId),
metadata: { status: "PENDING" },
});
}
Step 5: Multi-Tenant Architecture
// src/tenant/documenso-tenant.ts
// Each tenant maps to a Documenso team with its own API key
interface Tenant {
id: string;
name: string;
documensoTeamApiKey: string; // Encrypted in database
}
class TenantDocumensoService {
private clients = new Map<string, Documenso>();
getClient(tenant: Tenant): Documenso {
if (!this.clients.has(tenant.id)) {
this.clients.set(
tenant.id,
new Documenso({ apiKey: tenant.documensoTeamApiKey })
);
}
return this.clients.get(tenant.id)!;
}
// Ensure tenant isolation — never cross-access
async getDocument(tenant: Tenant, documentId: number) {
const client = this.getClient(tenant);
return client.documents.getV0(documentId);
// Team API keys automatically scope to team documents
}
}
Permission Matrix
| Action | Member | Admin | Owner |
|---|---|---|---|
| View team documents | Yes | Yes | Yes |
| Create documents | Yes | Yes | Yes |
| Send for signing | Yes | Yes | Yes |
| Delete documents | No | Yes | Yes |
| Manage team members | No | Yes | Yes |
| Team settings / billing | No | No | Yes |
| Configure SSO | No | No | Yes |
Error Handling
| RBAC Issue | Cause | Solution |
|---|---|---|
| 403 Forbidden | Personal key on team resource | Use team-scoped API key |
| Cannot delete | Not Admin/Owner role | Request role upgrade from team Owner |
| SSO login fails | Wrong OIDC configuration | Verify Client ID, Secret, and Issuer URL |
| Tenant data leak | Wrong API key for tenant | Validate tenant isolation in tests |
Resources
Next Steps
For migration strategies, see documenso-migration-deep-dive.
More by jeremylongshore
View all skills by jeremylongshore →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
fastapi-templates
wshobson
Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.
Related MCP Servers
Browse all servers
SlackPowerful MCP server for Slack with advanced API, message fetching, webhooks, and enterprise features. Robust Slack data
Azure AllSupercharge AI platforms with Azure MCP Server for seamless Azure API Management and resource automation. Public Preview
NetlifyEffortlessly manage Netlify projects with AI using the Netlify MCP Server—automate deployment, sites, and more via natur
Okta MCP ServerOfficial Okta MCP server for managing identity and access management through AI. Automate user provisioning, group manag
Docy (Documentation Access)Docy (Documentation Access) delivers real-time search and navigation of technical documentation without leaving your con
Windows ScreenshotsEasily access and manage Windows Screenshots from WSL2. List and retrieve screenshots with metadata, paths, or base64 co
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.