Configure Documenso enterprise role-based access control and team management.
Use when implementing team permissions, configuring organizational roles,
or setting up enterprise access controls.
Trigger with phrases like "documenso RBAC", "documenso teams",
"documenso permissions", "documenso enterprise", "documenso roles".
Configure team-based access control and enterprise features in Documenso. The Team plan enables multi-user collaboration with shared documents. Enterprise adds SSO (OIDC), audit logging, and organization-level management.
Prerequisites
Documenso Team or Enterprise plan
Understanding of RBAC concepts
For SSO: OIDC-compatible identity provider (Okta, Azure AD, Google Workspace, Auth0)
Documenso Team Model
Organization
├── Team A
│ ├── Owner (full control)
│ ├── Admin (manage members, settings)
│ └── Member (create, view, sign team documents)
├── Team B
│ └── ...
└── Personal Accounts (separate from teams)
Key concepts:
Teams are separate from personal accounts -- team documents are owned by the team
Team API keys access all team documents; personal keys only access personal documents
Each team member can have Owner, Admin, or Member role
Unlimited teams and users on Team/Enterprise plans (early adopter pricing)
Instructions
Step 1: Team API Key Scoping
import { Documenso } from "@documenso/sdk-typescript";
// Personal key: only YOUR documents
const personalClient = new Documenso({
apiKey: process.env.DOCUMENSO_PERSONAL_KEY!,
});
// Team key: all documents in the team
const teamClient = new Documenso({
apiKey: process.env.DOCUMENSO_TEAM_KEY!,
});
// Common mistake: using personal key for team operations
// Results in 403 Forbidden on team resources
Step 2: Application-Level RBAC
Documenso handles team membership internally. For finer-grained control in your app, implement an authorization layer:
Documenso Enterprise supports SSO via OIDC. Configuration is done in the admin panel:
SSO Setup (Enterprise only):
1. Navigate to Organization Settings > SSO
2. Select your OIDC provider
3. Enter:
- Client ID (from your IdP)
- Client Secret (from your IdP)
- Issuer URL (e.g., https://login.microsoftonline.com/{tenant}/v2.0)
4. Configure redirect URI in your IdP:
https://sign.yourcompany.com/api/auth/callback/oidc
5. Test with a non-admin user first
Supported providers:
- Google Workspace
- Microsoft Entra ID (Azure AD)
- Okta
- Auth0
- Any OIDC-compliant provider
Once enabled, team members sign in via:
https://sign.yourcompany.com/sso/{organization-slug}
Step 4: Audit Logging (Enterprise)
Enterprise includes built-in audit logging. For additional application-level auditing:
// src/tenant/documenso-tenant.ts
// Each tenant maps to a Documenso team with its own API key
interface Tenant {
id: string;
name: string;
documensoTeamApiKey: string; // Encrypted in database
}
class TenantDocumensoService {
private clients = new Map<string, Documenso>();
getClient(tenant: Tenant): Documenso {
if (!this.clients.has(tenant.id)) {
this.clients.set(
tenant.id,
new Documenso({ apiKey: tenant.documensoTeamApiKey })
);
}
return this.clients.get(tenant.id)!;
}
// Ensure tenant isolation — never cross-access
async getDocument(tenant: Tenant, documentId: number) {
const client = this.getClient(tenant);
return client.documents.getV0(documentId);
// Team API keys automatically scope to team documents
}
}