deepgram-enterprise-rbac
Configure enterprise role-based access control for Deepgram integrations. Use when implementing team permissions, managing API key scopes, or setting up organization-level access controls. Trigger: "deepgram RBAC", "deepgram permissions", "deepgram access control", "deepgram team roles", "deepgram enterprise", "deepgram key scopes".
Best use case
deepgram-enterprise-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configure enterprise role-based access control for Deepgram integrations. Use when implementing team permissions, managing API key scopes, or setting up organization-level access controls. Trigger: "deepgram RBAC", "deepgram permissions", "deepgram access control", "deepgram team roles", "deepgram enterprise", "deepgram key scopes".
Teams using deepgram-enterprise-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/deepgram-enterprise-rbac/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How deepgram-enterprise-rbac Compares
| Feature / Agent | deepgram-enterprise-rbac | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configure enterprise role-based access control for Deepgram integrations. Use when implementing team permissions, managing API key scopes, or setting up organization-level access controls. Trigger: "deepgram RBAC", "deepgram permissions", "deepgram access control", "deepgram team roles", "deepgram enterprise", "deepgram key scopes".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Deepgram Enterprise RBAC
## Overview
Role-based access control for enterprise Deepgram deployments. Maps five application roles to Deepgram API key scopes, implements scoped key provisioning via the Deepgram Management API, Express permission middleware, team management with auto-provisioned keys, and automated key rotation.
## Deepgram Scope Reference
| Scope | Permission | Used By |
|-------|-----------|---------|
| `member` | Full access (all scopes) | Admin only |
| `listen` | STT transcription | Developers, Services |
| `speak` | TTS synthesis | Developers, Services |
| `manage` | Project/key management | Admin |
| `usage:read` | View usage metrics | Analysts, Auditors |
| `keys:read` | List API keys | Auditors |
| `keys:write` | Create/delete keys | Admin |
## Instructions
### Step 1: Define Roles and Scope Mapping
```typescript
interface Role {
name: string;
deepgramScopes: string[];
keyExpiry: number; // Days
description: string;
}
const ROLES: Record<string, Role> = {
admin: {
name: 'Admin',
deepgramScopes: ['member'],
keyExpiry: 90,
description: 'Full access — project and key management',
},
developer: {
name: 'Developer',
deepgramScopes: ['listen', 'speak'],
keyExpiry: 90,
description: 'STT and TTS — no management access',
},
analyst: {
name: 'Analyst',
deepgramScopes: ['usage:read'],
keyExpiry: 365,
description: 'Read-only usage metrics',
},
service: {
name: 'Service Account',
deepgramScopes: ['listen'],
keyExpiry: 90,
description: 'STT only — for automated systems',
},
auditor: {
name: 'Auditor',
deepgramScopes: ['usage:read', 'keys:read'],
keyExpiry: 30,
description: 'Read-only audit access',
},
};
```
### Step 2: Scoped Key Provisioning
```typescript
import { createClient } from '@deepgram/sdk';
class DeepgramKeyManager {
private admin: ReturnType<typeof createClient>;
private projectId: string;
constructor(adminKey: string, projectId: string) {
this.admin = createClient(adminKey);
this.projectId = projectId;
}
async createScopedKey(userId: string, roleName: string): Promise<{
keyId: string;
key: string;
scopes: string[];
expiresAt: string;
}> {
const role = ROLES[roleName];
if (!role) throw new Error(`Unknown role: ${roleName}`);
const expirationDate = new Date(Date.now() + role.keyExpiry * 86400000);
const { result, error } = await this.admin.manage.createProjectKey(
this.projectId,
{
comment: `${roleName}:${userId}:${new Date().toISOString().split('T')[0]}`,
scopes: role.deepgramScopes,
expiration_date: expirationDate.toISOString(),
}
);
if (error) throw new Error(`Key creation failed: ${error.message}`);
console.log(`Created ${roleName} key for ${userId} (expires ${expirationDate.toISOString().split('T')[0]})`);
return {
keyId: result.key_id,
key: result.key,
scopes: role.deepgramScopes,
expiresAt: expirationDate.toISOString(),
};
}
async revokeKey(keyId: string) {
const { error } = await this.admin.manage.deleteProjectKey(
this.projectId, keyId
);
if (error) throw new Error(`Key revocation failed: ${error.message}`);
console.log(`Revoked key: ${keyId}`);
}
async listKeys() {
const { result, error } = await this.admin.manage.getProjectKeys(this.projectId);
if (error) throw error;
return result.api_keys.map((k: any) => ({
keyId: k.api_key_id,
comment: k.comment,
scopes: k.scopes,
created: k.created,
expiration: k.expiration_date,
}));
}
}
```
### Step 3: Permission Middleware
```typescript
import { Request, Response, NextFunction } from 'express';
interface AuthenticatedRequest extends Request {
user?: { id: string; role: string; deepgramKeyId: string };
}
function requireRole(...allowedRoles: string[]) {
return (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
if (!req.user) {
return res.status(401).json({ error: 'Authentication required' });
}
if (!allowedRoles.includes(req.user.role)) {
console.warn(`Access denied: user ${req.user.id} (${req.user.role}) tried to access ${req.path}`);
return res.status(403).json({
error: 'Insufficient permissions',
required: allowedRoles,
current: req.user.role,
});
}
next();
};
}
function requireScope(...requiredScopes: string[]) {
return (req: AuthenticatedRequest, res: Response, next: NextFunction) => {
if (!req.user) {
return res.status(401).json({ error: 'Authentication required' });
}
const role = ROLES[req.user.role];
const hasScopes = requiredScopes.every(
s => role.deepgramScopes.includes(s) || role.deepgramScopes.includes('member')
);
if (!hasScopes) {
return res.status(403).json({
error: 'Missing required Deepgram scopes',
required: requiredScopes,
current: role.deepgramScopes,
});
}
next();
};
}
// Route examples:
app.post('/api/transcribe', requireScope('listen'), transcribeHandler);
app.post('/api/tts', requireScope('speak'), ttsHandler);
app.get('/api/usage', requireScope('usage:read'), usageHandler);
app.post('/api/keys', requireRole('admin'), createKeyHandler);
app.get('/api/audit', requireRole('admin', 'auditor'), auditHandler);
```
### Step 4: Team Management
```typescript
interface Team {
id: string;
name: string;
projectId: string; // Deepgram project ID
members: Array<{
userId: string;
role: string;
keyId: string;
joinedAt: string;
}>;
}
class TeamManager {
private keyManager: DeepgramKeyManager;
constructor(adminKey: string, projectId: string) {
this.keyManager = new DeepgramKeyManager(adminKey, projectId);
}
async addMember(team: Team, userId: string, role: string) {
// Provision Deepgram key with role scopes
const key = await this.keyManager.createScopedKey(userId, role);
team.members.push({
userId,
role,
keyId: key.keyId,
joinedAt: new Date().toISOString(),
});
console.log(`Added ${userId} to ${team.name} as ${role}`);
return key;
}
async removeMember(team: Team, userId: string) {
const member = team.members.find(m => m.userId === userId);
if (!member) throw new Error(`User ${userId} not in team`);
// Revoke Deepgram key
await this.keyManager.revokeKey(member.keyId);
team.members = team.members.filter(m => m.userId !== userId);
console.log(`Removed ${userId} from ${team.name}, key revoked`);
}
async changeRole(team: Team, userId: string, newRole: string) {
const member = team.members.find(m => m.userId === userId);
if (!member) throw new Error(`User ${userId} not in team`);
// Revoke old key, create new key with new role scopes
await this.keyManager.revokeKey(member.keyId);
const newKey = await this.keyManager.createScopedKey(userId, newRole);
member.role = newRole;
member.keyId = newKey.keyId;
console.log(`Changed ${userId} role to ${newRole}`);
return newKey;
}
}
```
### Step 5: Automated Key Rotation
```typescript
async function rotateExpiringKeys(
keyManager: DeepgramKeyManager,
db: any,
daysBeforeExpiry = 7
) {
const keys = await keyManager.listKeys();
const now = Date.now();
const threshold = now + daysBeforeExpiry * 86400000;
let rotated = 0;
for (const key of keys) {
if (!key.expiration) continue;
const expiresAt = new Date(key.expiration).getTime();
if (expiresAt < threshold) {
// Parse role from comment (format: "role:userId:date")
const [role, userId] = (key.comment ?? '').split(':');
if (!role || !userId) {
console.warn(`Cannot rotate key ${key.keyId} — unknown format: ${key.comment}`);
continue;
}
console.log(`Rotating key for ${userId} (${role}), expires ${key.expiration}`);
// Create new key
const newKey = await keyManager.createScopedKey(userId, role);
// Update database with new key ID
await db.query(
'UPDATE team_members SET key_id = $1 WHERE user_id = $2',
[newKey.keyId, userId]
);
// Revoke old key (after a grace period, or immediately)
await keyManager.revokeKey(key.keyId);
rotated++;
}
}
console.log(`Rotated ${rotated} keys expiring within ${daysBeforeExpiry} days`);
return rotated;
}
```
### Step 6: Access Control Matrix
| Action | Admin | Developer | Analyst | Service | Auditor |
|--------|-------|-----------|---------|---------|---------|
| Transcribe (STT) | Yes | Yes | No | Yes | No |
| Text-to-Speech | Yes | Yes | No | No | No |
| View usage | Yes | No | Yes | No | Yes |
| Manage keys | Yes | No | No | No | No |
| View audit logs | Yes | No | No | No | Yes |
| Create projects | Yes | No | No | No | No |
## Output
- Five-role permission model with Deepgram scope mapping
- Scoped API key provisioning via Management API
- Express middleware (role-based and scope-based)
- Team management with auto-provisioned/revoked keys
- Automated key rotation for expiring keys
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| 403 Forbidden | Key lacks scope | Create new key with correct scopes |
| Key expired | No rotation configured | Enable automated rotation |
| `manage.createProjectKey` fails | Admin key missing `member` scope | Use key with `member` scope |
| Team member can't transcribe | Wrong role assigned | Change role to `developer` or `service` |
## Resources
- [API Key Management](https://developers.deepgram.com/docs/api-key-management)
- [Project Management](https://developers.deepgram.com/docs/projects)
- [Deepgram Enterprise](https://deepgram.com/enterprise)Related Skills
windsurf-enterprise-rbac
Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".
webflow-enterprise-rbac
Configure Webflow enterprise access control — OAuth 2.0 app authorization, scope-based RBAC, per-site token isolation, workspace member management, and audit logging for compliance. Trigger with phrases like "webflow RBAC", "webflow enterprise", "webflow roles", "webflow permissions", "webflow OAuth scopes", "webflow access control", "webflow workspace members".
vercel-enterprise-rbac
Configure Vercel enterprise RBAC, access groups, SSO integration, and audit logging. Use when implementing team access control, configuring SAML SSO, or setting up role-based permissions for Vercel projects. Trigger with phrases like "vercel SSO", "vercel RBAC", "vercel enterprise", "vercel roles", "vercel permissions", "vercel access groups".
veeva-enterprise-rbac
Veeva Vault enterprise rbac for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva enterprise rbac".
vastai-enterprise-rbac
Implement team access control and spending governance for Vast.ai GPU cloud. Use when managing multi-team GPU access, implementing spending controls, or setting up API key separation for different teams. Trigger with phrases like "vastai team access", "vastai RBAC", "vastai enterprise", "vastai spending controls", "vastai permissions".
twinmind-enterprise-rbac
Configure TwinMind Enterprise with on-premise deployment, custom AI models, SSO integration, and team-wide transcript sharing. Use when implementing enterprise rbac, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind enterprise rbac", "twinmind enterprise rbac".
supabase-enterprise-rbac
Implement custom role-based access control via JWT claims in Supabase: app_metadata.role, RLS policies with auth.jwt() ->> 'role', organization-scoped access, and API key scoping. Use when implementing role-based permissions, configuring organization-level access, building admin/member/viewer hierarchies, or scoping API keys per role. Trigger: "supabase RBAC", "supabase roles", "supabase permissions", "supabase JWT claims", "supabase organization access", "supabase custom roles", "supabase app_metadata".
speak-enterprise-rbac
Configure Speak for schools and organizations: SSO, teacher/student roles, class management, and usage reporting. Use when implementing enterprise rbac, or managing Speak language learning platform operations. Trigger with phrases like "speak enterprise rbac", "speak enterprise rbac".
snowflake-enterprise-rbac
Configure Snowflake enterprise RBAC with system roles, custom role hierarchies, SSO/SCIM integration, and least-privilege access patterns. Use when implementing role-based access control, configuring SSO with SAML/OIDC, or setting up organization-level governance in Snowflake. Trigger with phrases like "snowflake RBAC", "snowflake roles", "snowflake SSO", "snowflake SCIM", "snowflake permissions", "snowflake access control".
windsurf-enterprise-sso
Configure enterprise SSO integration for Windsurf. Activate when users mention "sso configuration", "single sign-on", "enterprise authentication", "saml setup", or "identity provider". Handles enterprise identity integration. Use when working with windsurf enterprise sso functionality. Trigger with phrases like "windsurf enterprise sso", "windsurf sso", "windsurf".
shopify-enterprise-rbac
Implement Shopify Plus access control patterns with staff permissions, multi-location management, and Shopify Organization features. Trigger with phrases like "shopify permissions", "shopify staff", "shopify Plus organization", "shopify roles", "shopify multi-location".
sentry-enterprise-rbac
Configure enterprise role-based access control, SSO/SAML2, and SCIM provisioning in Sentry. Use when setting up organization hierarchy, team permissions, identity provider integration, API token governance, or audit logging for compliance. Trigger: "sentry rbac", "sentry permissions", "sentry team access", "sentry sso setup", "sentry scim", "sentry audit log".