groq-enterprise-rbac
Configure Groq organization management, API key scoping, spending controls, and team access patterns. Trigger with phrases like "groq organization", "groq RBAC", "groq enterprise", "groq team access", "groq spending limits", "groq multi-team".
Best use case
groq-enterprise-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configure Groq organization management, API key scoping, spending controls, and team access patterns. Trigger with phrases like "groq organization", "groq RBAC", "groq enterprise", "groq team access", "groq spending limits", "groq multi-team".
Teams using groq-enterprise-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/groq-enterprise-rbac/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How groq-enterprise-rbac Compares
| Feature / Agent | groq-enterprise-rbac | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configure Groq organization management, API key scoping, spending controls, and team access patterns. Trigger with phrases like "groq organization", "groq RBAC", "groq enterprise", "groq team access", "groq spending limits", "groq multi-team".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Groq Enterprise Access Management
## Overview
Manage team access to Groq's inference API through API key strategy, model-level routing controls, spending limits, and usage monitoring. Groq uses flat API keys (`gsk_` prefix) with no built-in scoping -- access control is implemented at the application layer.
## Groq Access Model
- **API keys** are per-organization, not per-user
- **No built-in scopes** -- every key has full API access
- **Rate limits** are per-organization, shared across all keys
- **Spending limits** are configurable in the Groq Console
- **Projects** allow creating isolated API keys with separate limits
## Instructions
### Step 1: API Key Strategy
```typescript
// Create separate keys per team/service via Groq Console Projects
// Each project gets its own API key and can have independent rate limits
// Key naming convention: {team}-{environment}-{purpose}
const KEY_REGISTRY = {
// Each team gets a separate Groq Project
"chatbot-prod": "gsk_...", // Project: chatbot-production
"chatbot-staging": "gsk_...", // Project: chatbot-staging
"analytics-prod": "gsk_...", // Project: analytics-production
"batch-processor": "gsk_...", // Project: batch-processing
} as const;
```
### Step 2: Application-Level Model Access Control
```typescript
// Since Groq keys don't have model scoping, implement it in your gateway
interface TeamConfig {
allowedModels: string[];
maxTokensPerRequest: number;
monthlyBudgetUsd: number;
rateLimitRPM: number;
}
const TEAM_CONFIGS: Record<string, TeamConfig> = {
chatbot: {
allowedModels: ["llama-3.3-70b-versatile", "llama-3.1-8b-instant"],
maxTokensPerRequest: 2048,
monthlyBudgetUsd: 200,
rateLimitRPM: 60,
},
analytics: {
allowedModels: ["llama-3.1-8b-instant"], // Only cheapest model
maxTokensPerRequest: 512,
monthlyBudgetUsd: 50,
rateLimitRPM: 30,
},
research: {
allowedModels: [
"llama-3.3-70b-versatile",
"llama-3.1-8b-instant",
"meta-llama/llama-4-scout-17b-16e-instruct",
],
maxTokensPerRequest: 4096,
monthlyBudgetUsd: 500,
rateLimitRPM: 120,
},
};
function validateRequest(team: string, model: string, maxTokens: number): void {
const config = TEAM_CONFIGS[team];
if (!config) throw new Error(`Unknown team: ${team}`);
if (!config.allowedModels.includes(model)) {
throw new Error(`Team ${team} not authorized for model ${model}`);
}
if (maxTokens > config.maxTokensPerRequest) {
throw new Error(`max_tokens ${maxTokens} exceeds limit ${config.maxTokensPerRequest} for team ${team}`);
}
}
```
### Step 3: Groq API Gateway
```typescript
import Groq from "groq-sdk";
import PQueue from "p-queue";
// Per-team rate limiting
const teamQueues = new Map<string, PQueue>();
function getTeamQueue(team: string): PQueue {
if (!teamQueues.has(team)) {
const config = TEAM_CONFIGS[team];
teamQueues.set(team, new PQueue({
intervalCap: config?.rateLimitRPM || 30,
interval: 60_000,
concurrency: 5,
}));
}
return teamQueues.get(team)!;
}
// Gateway function: validates, rate-limits, and proxies to Groq
async function groqGateway(
team: string,
messages: any[],
model: string,
maxTokens: number
) {
// Validate permissions
validateRequest(team, model, maxTokens);
// Check budget
const monthlySpend = await getTeamMonthlySpend(team);
const config = TEAM_CONFIGS[team];
if (monthlySpend >= config.monthlyBudgetUsd) {
throw new Error(`Team ${team} monthly budget of $${config.monthlyBudgetUsd} exhausted`);
}
// Rate-limited execution
const queue = getTeamQueue(team);
return queue.add(async () => {
const groq = new Groq({ apiKey: getTeamApiKey(team) });
const result = await groq.chat.completions.create({
model,
messages,
max_tokens: maxTokens,
});
// Track usage
await recordTeamUsage(team, model, result.usage!);
return result;
});
}
```
### Step 4: Spending Controls
```markdown
## Groq Console Setup (per organization)
1. Go to console.groq.com > Organization > Billing
2. Set monthly spending cap
3. Configure alerts at 50%, 80%, 95% thresholds
4. Enable auto-pause when cap is reached
## Application-Level Controls (per team)
```
```typescript
// Track spending per team
const teamSpending = new Map<string, number>();
async function recordTeamUsage(
team: string,
model: string,
usage: any
): Promise<void> {
const pricing: Record<string, { input: number; output: number }> = {
"llama-3.1-8b-instant": { input: 0.05, output: 0.08 },
"llama-3.3-70b-versatile": { input: 0.59, output: 0.79 },
"meta-llama/llama-4-scout-17b-16e-instruct": { input: 0.11, output: 0.34 },
};
const price = pricing[model] || { input: 0.10, output: 0.10 };
const cost =
(usage.prompt_tokens / 1_000_000) * price.input +
(usage.completion_tokens / 1_000_000) * price.output;
const current = teamSpending.get(team) || 0;
teamSpending.set(team, current + cost);
// Alert at thresholds
const budget = TEAM_CONFIGS[team].monthlyBudgetUsd;
const pct = ((current + cost) / budget) * 100;
if (pct >= 95) {
console.error(`[ALERT] Team ${team} at ${pct.toFixed(0)}% of monthly budget!`);
} else if (pct >= 80) {
console.warn(`[WARN] Team ${team} at ${pct.toFixed(0)}% of monthly budget`);
}
}
```
### Step 5: API Key Rotation
```bash
set -euo pipefail
# Zero-downtime key rotation process:
# 1. Create new key in Groq Console (same Project)
# Name: chatbot-prod-2026-04
# 2. Deploy new key alongside old key
# Both keys are valid simultaneously
# 3. Update secret manager
# AWS: aws secretsmanager update-secret --secret-id groq/chatbot-prod --secret-string "gsk_new_..."
# GCP: echo -n "gsk_new_..." | gcloud secrets versions add groq-chatbot-prod --data-file=-
# 4. Restart services to pick up new key
# 5. Monitor for 24h -- verify no requests on old key
# 6. Delete old key in Groq Console
```
### Step 6: Usage Dashboard Query
```typescript
// Weekly usage report per team
function weeklyReport(records: Array<{ team: string; model: string; cost: number; tokens: number }>) {
const byTeam: Record<string, { cost: number; tokens: number; topModel: string }> = {};
for (const r of records) {
if (!byTeam[r.team]) byTeam[r.team] = { cost: 0, tokens: 0, topModel: "" };
byTeam[r.team].cost += r.cost;
byTeam[r.team].tokens += r.tokens;
}
console.table(
Object.entries(byTeam).map(([team, data]) => ({
team,
cost: `$${data.cost.toFixed(2)}`,
tokens: data.tokens.toLocaleString(),
budget: `$${TEAM_CONFIGS[team]?.monthlyBudgetUsd || "N/A"}`,
}))
);
}
```
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| `429 rate_limit_exceeded` | Org-level RPM/TPM hit | Teams share org limits; reduce aggregate volume |
| `401 invalid_api_key` | Key deleted or rotated | Update secret manager, restart services |
| Budget exhausted | Monthly cap reached | Increase cap or wait for billing cycle reset |
| Wrong model used | No server-side enforcement | Validate model against team config before calling Groq |
## Resources
- [Groq Projects](https://console.groq.com/docs/projects)
- [Groq Spend Limits](https://console.groq.com/docs/spend-limits)
- [Groq Rate Limits](https://console.groq.com/docs/rate-limits)
- [Groq API Keys](https://console.groq.com/keys)
## Next Steps
For migration strategies, see `groq-migration-deep-dive`.Related Skills
windsurf-enterprise-rbac
Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".
webflow-enterprise-rbac
Configure Webflow enterprise access control — OAuth 2.0 app authorization, scope-based RBAC, per-site token isolation, workspace member management, and audit logging for compliance. Trigger with phrases like "webflow RBAC", "webflow enterprise", "webflow roles", "webflow permissions", "webflow OAuth scopes", "webflow access control", "webflow workspace members".
vercel-enterprise-rbac
Configure Vercel enterprise RBAC, access groups, SSO integration, and audit logging. Use when implementing team access control, configuring SAML SSO, or setting up role-based permissions for Vercel projects. Trigger with phrases like "vercel SSO", "vercel RBAC", "vercel enterprise", "vercel roles", "vercel permissions", "vercel access groups".
veeva-enterprise-rbac
Veeva Vault enterprise rbac for enterprise operations. Use when implementing advanced Veeva Vault patterns. Trigger: "veeva enterprise rbac".
vastai-enterprise-rbac
Implement team access control and spending governance for Vast.ai GPU cloud. Use when managing multi-team GPU access, implementing spending controls, or setting up API key separation for different teams. Trigger with phrases like "vastai team access", "vastai RBAC", "vastai enterprise", "vastai spending controls", "vastai permissions".
twinmind-enterprise-rbac
Configure TwinMind Enterprise with on-premise deployment, custom AI models, SSO integration, and team-wide transcript sharing. Use when implementing enterprise rbac, or managing TwinMind meeting AI operations. Trigger with phrases like "twinmind enterprise rbac", "twinmind enterprise rbac".
supabase-enterprise-rbac
Implement custom role-based access control via JWT claims in Supabase: app_metadata.role, RLS policies with auth.jwt() ->> 'role', organization-scoped access, and API key scoping. Use when implementing role-based permissions, configuring organization-level access, building admin/member/viewer hierarchies, or scoping API keys per role. Trigger: "supabase RBAC", "supabase roles", "supabase permissions", "supabase JWT claims", "supabase organization access", "supabase custom roles", "supabase app_metadata".
speak-enterprise-rbac
Configure Speak for schools and organizations: SSO, teacher/student roles, class management, and usage reporting. Use when implementing enterprise rbac, or managing Speak language learning platform operations. Trigger with phrases like "speak enterprise rbac", "speak enterprise rbac".
snowflake-enterprise-rbac
Configure Snowflake enterprise RBAC with system roles, custom role hierarchies, SSO/SCIM integration, and least-privilege access patterns. Use when implementing role-based access control, configuring SSO with SAML/OIDC, or setting up organization-level governance in Snowflake. Trigger with phrases like "snowflake RBAC", "snowflake roles", "snowflake SSO", "snowflake SCIM", "snowflake permissions", "snowflake access control".
windsurf-enterprise-sso
Configure enterprise SSO integration for Windsurf. Activate when users mention "sso configuration", "single sign-on", "enterprise authentication", "saml setup", or "identity provider". Handles enterprise identity integration. Use when working with windsurf enterprise sso functionality. Trigger with phrases like "windsurf enterprise sso", "windsurf sso", "windsurf".
shopify-enterprise-rbac
Implement Shopify Plus access control patterns with staff permissions, multi-location management, and Shopify Organization features. Trigger with phrases like "shopify permissions", "shopify staff", "shopify Plus organization", "shopify roles", "shopify multi-location".
sentry-enterprise-rbac
Configure enterprise role-based access control, SSO/SAML2, and SCIM provisioning in Sentry. Use when setting up organization hierarchy, team permissions, identity provider integration, API token governance, or audit logging for compliance. Trigger: "sentry rbac", "sentry permissions", "sentry team access", "sentry sso setup", "sentry scim", "sentry audit log".