cohere-enterprise-rbac
Configure Cohere enterprise API key management, role-based access, and org controls. Use when implementing multi-team API key management, per-team usage limits, or setting up organization-level controls for Cohere. Trigger with phrases like "cohere enterprise", "cohere RBAC", "cohere team keys", "cohere org management", "cohere access control".
Best use case
cohere-enterprise-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configure Cohere enterprise API key management, role-based access, and org controls. Use when implementing multi-team API key management, per-team usage limits, or setting up organization-level controls for Cohere. Trigger with phrases like "cohere enterprise", "cohere RBAC", "cohere team keys", "cohere org management", "cohere access control".
Teams using cohere-enterprise-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/cohere-enterprise-rbac/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How cohere-enterprise-rbac Compares
| Feature / Agent | cohere-enterprise-rbac | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configure Cohere enterprise API key management, role-based access, and org controls. Use when implementing multi-team API key management, per-team usage limits, or setting up organization-level controls for Cohere. Trigger with phrases like "cohere enterprise", "cohere RBAC", "cohere team keys", "cohere org management", "cohere access control".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Cohere Enterprise RBAC
## Overview
Configure enterprise-grade access control for Cohere API v2 with multi-team API key management, per-team model/budget restrictions, and audit trails.
## Prerequisites
- Cohere production API keys
- Understanding of your team/service structure
- Secret management infrastructure
## Cohere Access Model
Cohere uses **API key-based** access control (no built-in RBAC or SSO). Enterprise patterns are implemented in your application layer.
| Cohere Feature | Availability |
|----------------|-------------|
| API key auth | All tiers |
| Multiple API keys | Via dashboard |
| Per-key rate limits | Production: 1000/min |
| Usage dashboard | dashboard.cohere.com |
| SSO/SAML | Not available (API key only) |
| Per-key scoping | Not available |
## Instructions
### Step 1: Multi-Team Key Strategy
```typescript
// Each team gets their own API key for tracking and revocation
interface TeamConfig {
name: string;
apiKeyEnvVar: string;
allowedModels: string[];
maxTokensPerCall: number;
dailyBudgetUSD: number;
}
const teamConfigs: Record<string, TeamConfig> = {
search: {
name: 'Search Team',
apiKeyEnvVar: 'CO_API_KEY_SEARCH',
allowedModels: ['embed-v4.0', 'rerank-v3.5', 'command-r-08-2024'],
maxTokensPerCall: 1000,
dailyBudgetUSD: 50,
},
chatbot: {
name: 'Chatbot Team',
apiKeyEnvVar: 'CO_API_KEY_CHATBOT',
allowedModels: ['command-a-03-2025', 'command-r7b-12-2024'],
maxTokensPerCall: 4096,
dailyBudgetUSD: 200,
},
ml: {
name: 'ML Team',
apiKeyEnvVar: 'CO_API_KEY_ML',
allowedModels: ['embed-v4.0', 'embed-multilingual-v3.0'],
maxTokensPerCall: 500,
dailyBudgetUSD: 100,
},
};
```
### Step 2: Team-Scoped Client Factory
```typescript
import { CohereClientV2 } from 'cohere-ai';
const clients = new Map<string, CohereClientV2>();
export function getCohereForTeam(teamId: string): CohereClientV2 {
if (!clients.has(teamId)) {
const config = teamConfigs[teamId];
if (!config) throw new Error(`Unknown team: ${teamId}`);
const apiKey = process.env[config.apiKeyEnvVar];
if (!apiKey) throw new Error(`${config.apiKeyEnvVar} not set for team ${teamId}`);
clients.set(teamId, new CohereClientV2({ token: apiKey }));
}
return clients.get(teamId)!;
}
```
### Step 3: Model Access Enforcement
```typescript
function enforceModelAccess(teamId: string, requestedModel: string): void {
const config = teamConfigs[teamId];
if (!config) throw new Error(`Unknown team: ${teamId}`);
if (!config.allowedModels.includes(requestedModel)) {
throw new Error(
`Team ${config.name} is not authorized to use model ${requestedModel}. ` +
`Allowed: ${config.allowedModels.join(', ')}`
);
}
}
// Enforced chat wrapper
export async function teamChat(
teamId: string,
message: string,
model: string
): Promise<string> {
enforceModelAccess(teamId, model);
const config = teamConfigs[teamId];
const cohere = getCohereForTeam(teamId);
const response = await cohere.chat({
model,
messages: [{ role: 'user', content: message }],
maxTokens: config.maxTokensPerCall,
});
return response.message?.content?.[0]?.text ?? '';
}
```
### Step 4: Per-Team Budget Enforcement
```typescript
class TeamBudgetTracker {
private dailySpend = new Map<string, number>();
private lastReset = new Date();
track(teamId: string, tokens: { input: number; output: number }): void {
// Reset daily at midnight
const now = new Date();
if (now.getDate() !== this.lastReset.getDate()) {
this.dailySpend.clear();
this.lastReset = now;
}
const current = this.dailySpend.get(teamId) ?? 0;
// Rough cost estimate per 1M tokens (check cohere.com/pricing)
const cost = (tokens.input / 1_000_000) * 0.5 + (tokens.output / 1_000_000) * 1.5;
this.dailySpend.set(teamId, current + cost);
}
canProceed(teamId: string): boolean {
const config = teamConfigs[teamId];
if (!config) return false;
const spent = this.dailySpend.get(teamId) ?? 0;
return spent < config.dailyBudgetUSD;
}
getSpend(teamId: string): number {
return this.dailySpend.get(teamId) ?? 0;
}
}
const budgetTracker = new TeamBudgetTracker();
// Budget-enforced call
export async function budgetedChat(teamId: string, message: string, model: string): Promise<string> {
if (!budgetTracker.canProceed(teamId)) {
throw new Error(`Team ${teamId} has exceeded daily budget of $${teamConfigs[teamId].dailyBudgetUSD}`);
}
const response = await teamChat(teamId, message, model);
// Track usage after successful call
// Note: actual usage comes from response.usage.billedUnits
return response;
}
```
### Step 5: API Gateway Middleware
```typescript
import { Request, Response, NextFunction } from 'express';
// Extract team from auth header or JWT
function extractTeamId(req: Request): string {
const apiKey = req.headers['x-api-key'] as string;
// Map API keys to teams (store in DB, not code)
const teamMap = new Map<string, string>([
['search-api-key-hash', 'search'],
['chatbot-api-key-hash', 'chatbot'],
['ml-api-key-hash', 'ml'],
]);
const teamId = teamMap.get(apiKey);
if (!teamId) throw new Error('Invalid API key');
return teamId;
}
function cohereAccessControl(allowedEndpoints: string[]) {
return (req: Request, res: Response, next: NextFunction) => {
try {
const teamId = extractTeamId(req);
// Check budget
if (!budgetTracker.canProceed(teamId)) {
return res.status(429).json({ error: 'Daily budget exceeded' });
}
// Attach team context
(req as any).cohereTeam = teamId;
next();
} catch (err) {
res.status(403).json({ error: (err as Error).message });
}
};
}
// Usage
app.post('/api/chat', cohereAccessControl(['chat']), chatHandler);
app.post('/api/embed', cohereAccessControl(['embed']), embedHandler);
```
### Step 6: Audit Trail
```typescript
interface CohereAccessLog {
timestamp: Date;
teamId: string;
endpoint: string;
model: string;
tokensUsed: { input: number; output: number };
costEstimate: number;
success: boolean;
errorCode?: number;
}
async function logAccess(entry: CohereAccessLog): Promise<void> {
// Write to your audit database
await db.cohereAccessLog.insert(entry);
// Alert on suspicious patterns
if (entry.costEstimate > 10) {
console.warn(`High-cost call: team=${entry.teamId} cost=$${entry.costEstimate.toFixed(2)}`);
}
}
// Usage reporting query
// SELECT team_id, SUM(cost_estimate), COUNT(*) as calls
// FROM cohere_access_log
// WHERE timestamp > NOW() - INTERVAL '24 hours'
// GROUP BY team_id
// ORDER BY SUM(cost_estimate) DESC;
```
## Key Rotation Per Team
```bash
# Rotate a team's API key
# 1. Generate new key at dashboard.cohere.com
# 2. Update the team's secret
aws secretsmanager update-secret \
--secret-id cohere/search-team/api-key \
--secret-string "new-key-here"
# 3. Restart team's services
kubectl rollout restart deployment/search-service
# 4. Verify and revoke old key
# 5. Update audit log with rotation event
```
## Output
- Multi-team API key management with separate keys per team
- Model access enforcement (search team cannot use chat models)
- Per-team daily budget limits with automatic cutoff
- Audit trail for all Cohere API calls with team attribution
- API gateway middleware for access control
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| Team key missing | Env var not set | Check secret manager |
| Model access denied | Not in allowedModels | Update team config |
| Budget exceeded | High usage | Increase limit or optimize |
| Key rotation gap | Old key revoked too early | Overlap keys during rotation |
## Resources
- [Cohere API Keys](https://dashboard.cohere.com/api-keys)
- [Cohere Pricing](https://cohere.com/pricing)
- [Cohere Rate Limits](https://docs.cohere.com/docs/rate-limits)
## Next Steps
For major migrations, see `cohere-migration-deep-dive`.Related Skills
windsurf-enterprise-rbac
Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".
webflow-enterprise-rbac
Configure Webflow enterprise access control — OAuth 2.0 app authorization, scope-based RBAC, per-site token isolation, workspace member management, and audit logging for compliance. Trigger with phrases like "webflow RBAC", "webflow enterprise", "webflow roles", "webflow permissions", "webflow OAuth scopes", "webflow access control", "webflow workspace members".
vercel-enterprise-rbac
Configure Vercel enterprise RBAC, access groups, SSO integration, and audit logging. Use when implementing team access control, configuring SAML SSO, or setting up role-based permissions for Vercel projects. Trigger with phrases like "vercel SSO", "vercel RBAC", "vercel enterprise", "vercel roles", "vercel permissions", "vercel access groups".
veeva-enterprise-rbac
Veeva Vault enterprise rbac for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva enterprise rbac".
vastai-enterprise-rbac
Implement team access control and spending governance for Vast.ai GPU cloud. Use when managing multi-team GPU access, implementing spending controls, or setting up API key separation for different teams. Trigger with phrases like "vastai team access", "vastai RBAC", "vastai enterprise", "vastai spending controls", "vastai permissions".
twinmind-enterprise-rbac
Configure TwinMind Enterprise with on-premise deployment, custom AI models, SSO integration, and team-wide transcript sharing. Use when implementing enterprise rbac, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind enterprise rbac", "twinmind enterprise rbac".
supabase-enterprise-rbac
Implement custom role-based access control via JWT claims in Supabase: app_metadata.role, RLS policies with auth.jwt() ->> 'role', organization-scoped access, and API key scoping. Use when implementing role-based permissions, configuring organization-level access, building admin/member/viewer hierarchies, or scoping API keys per role. Trigger: "supabase RBAC", "supabase roles", "supabase permissions", "supabase JWT claims", "supabase organization access", "supabase custom roles", "supabase app_metadata".
speak-enterprise-rbac
Configure Speak for schools and organizations: SSO, teacher/student roles, class management, and usage reporting. Use when implementing enterprise rbac, or managing Speak language learning platform operations. Trigger with phrases like "speak enterprise rbac", "speak enterprise rbac".
snowflake-enterprise-rbac
Configure Snowflake enterprise RBAC with system roles, custom role hierarchies, SSO/SCIM integration, and least-privilege access patterns. Use when implementing role-based access control, configuring SSO with SAML/OIDC, or setting up organization-level governance in Snowflake. Trigger with phrases like "snowflake RBAC", "snowflake roles", "snowflake SSO", "snowflake SCIM", "snowflake permissions", "snowflake access control".
windsurf-enterprise-sso
Configure enterprise SSO integration for Windsurf. Activate when users mention "sso configuration", "single sign-on", "enterprise authentication", "saml setup", or "identity provider". Handles enterprise identity integration. Use when working with windsurf enterprise sso functionality. Trigger with phrases like "windsurf enterprise sso", "windsurf sso", "windsurf".
shopify-enterprise-rbac
Implement Shopify Plus access control patterns with staff permissions, multi-location management, and Shopify Organization features. Trigger with phrases like "shopify permissions", "shopify staff", "shopify Plus organization", "shopify roles", "shopify multi-location".
sentry-enterprise-rbac
Configure enterprise role-based access control, SSO/SAML2, and SCIM provisioning in Sentry. Use when setting up organization hierarchy, team permissions, identity provider integration, API token governance, or audit logging for compliance. Trigger: "sentry rbac", "sentry permissions", "sentry team access", "sentry sso setup", "sentry scim", "sentry audit log".