wololo
Get access

Access Control

All provision routes require an explicit access_granted flag on your tenant record. This is set when your invite code is claimed during onboarding.

The access_granted guard

Every route that triggers GCP resource creation checks assertAccessGranted() before proceeding:

POST /api/onboard/provision      → assertAccessGranted()
POST /api/platform/provision     → assertAccessGranted()
POST /api/tenants/provision      → assertAccessGranted()
POST /api/tenants/provision/complete → assertAccessGranted()

If access_granted = false, all four routes return 403 Forbidden. No GCP resources are created.

When is it set?

access_granted is set to true by the redeem_invite_code PL/pgSQL RPC when your invite code is atomically claimed. This happens in the onboarding layout (server component, runs before any client code).

What if I see a 403?

Your tenant record may not have had access_granted set correctly. Contact the platform team — this is a one-time admin operation to backfill your record.