Configure Langfuse enterprise organization management and access control.
Use when implementing team access controls, configuring organization settings,
or setting up role-based permissions for Langfuse projects.
Trigger with phrases like "langfuse RBAC", "langfuse teams",
"langfuse organization", "langfuse access control", "langfuse permissions".
Configure enterprise access control for Langfuse: built-in roles and permissions, scoped API keys per service, SSO integration, project-level isolation, and audit logging for compliance.
Prerequisites
Langfuse Cloud (Team/Enterprise plan) or self-hosted instance
Organization admin access
SSO provider (optional, for SAML/OIDC integration)
Langfuse Built-In Roles
Langfuse provides these roles at the project level:
Best practice: Separate projects for production, staging, and analytics. Never share API keys across environments.
Step 2: Scoped API Keys
Create API keys with specific purposes and rotate regularly:
// In Langfuse UI: Settings > API Keys > Create
// Each key pair (public + secret) is scoped to one project
// Service-specific keys
// Backend API: pk-lf-prod-api-... / sk-lf-prod-api-...
// CI/CD pipeline: pk-lf-ci-... / sk-lf-ci-...
// Analytics: pk-lf-analytics-... / sk-lf-analytics-...
// Validate key scope at startup
function validateApiKeyScope(expectedProject: string) {
const pk = process.env.LANGFUSE_PUBLIC_KEY || "";
if (!pk.includes(expectedProject)) {
console.warn(
`WARNING: API key may not match expected project: ${expectedProject}`
);
}
}
// Key rotation script
async function rotateApiKeys() {
// 1. Create new key pair in Langfuse UI
// 2. Deploy new keys to secret manager
// 3. Wait for all instances to pick up new keys
// 4. Revoke old key pair in Langfuse UI
console.log("Key rotation checklist:");
console.log("1. [ ] New key pair created in Langfuse");
console.log("2. [ ] New keys deployed to secret manager");
console.log("3. [ ] All services restarted with new keys");
console.log("4. [ ] Old key pair revoked in Langfuse");
console.log("5. [ ] Verified traces flowing with new keys");
}
Step 3: Self-Hosted Access Control
# docker-compose.yml -- enterprise hardening
services:
langfuse:
image: langfuse/langfuse:latest
environment:
# Disable public registration
- AUTH_DISABLE_SIGNUP=true
# SSO enforcement for your domain
- AUTH_DOMAINS_WITH_SSO_ENFORCEMENT=acme.com
# Default role for new project members
- LANGFUSE_DEFAULT_PROJECT_ROLE=VIEWER
# Encrypt data at rest
- ENCRYPTION_KEY=${ENCRYPTION_KEY}
# Session security
- NEXTAUTH_SECRET=${NEXTAUTH_SECRET}
Step 4: SSO Integration
SAML Setup (Okta, Azure AD, OneLogin):
In your IdP, create a new SAML application for Langfuse
Configure the SSO callback URL: https://langfuse.your-domain.com/api/auth/callback/saml
Set the entity ID: https://langfuse.your-domain.com