InferiaLLM
Platform Management

RBAC & Security

Role-based access control and security features

InferiaLLM provides comprehensive security features including authentication, authorization, and audit logging.

Authentication

JWT-Based Auth

All API requests require a valid JWT token obtained via login.

curl -X POST http://localhost:8000/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com", "password": "password123"}'

Response:

{
  "access_token": "eyJ...",
  "refresh_token": "eyJ...",
  "token_type": "bearer"
}

Two-Factor Authentication (2FA)

TOTP-based 2FA can be enabled per user:

  1. Setup: POST /auth/totp/setup - Returns QR code
  2. Verify: POST /auth/totp/verify - Verify and enable
  3. Login: Include totp_code in login request

API Keys

For programmatic access, generate API keys:

curl -X POST http://localhost:8000/management/api-keys \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "my-app", "deployment_id": "uuid"}'

Authorization (RBAC)

Built-in Roles

RoleCapabilities
AdminFull access, user management, settings
DeveloperDeployments, API keys, configurations
UserRead access, limited API key creation
GuestView only, no modifications

Permissions

Granular permissions control access:

PermissionDescription
model:readView models and deployments
model:writeCreate/modify deployments
model:deleteDelete deployments
apikey:readView API keys
apikey:writeCreate API keys
admin:usersManage users
admin:rolesManage roles
admin:configModify system settings
admin:auditView audit logs

Custom Roles

Create custom roles via Dashboard or API:

curl -X POST http://localhost:8000/admin/roles \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "analyst",
    "permissions": ["model:read", "apikey:read"]
  }'

Organizations

Multi-Tenancy

Users can belong to multiple organizations with different roles in each.

Organization Switching

curl -X POST http://localhost:8000/auth/switch-org \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"org_id": "org-uuid"}'

Invitations

Invite users to organizations:

  1. Admin creates invitation in Dashboard
  2. User receives invitation link
  3. User accepts and joins organization

Audit Logging

All actions are logged immutably:

  • Authentication events
  • Resource modifications
  • API key usage
  • Configuration changes

View Audit Logs

curl http://localhost:8000/audit/logs \
  -H "Authorization: Bearer $TOKEN"

Security Best Practices

  1. Rotate Secrets: Change JWT_SECRET_KEY regularly
  2. Enable 2FA: Require for admin accounts
  3. Least Privilege: Assign minimal necessary permissions
  4. Monitor Logs: Review audit logs for anomalies
  5. Encrypt at Rest: Use SECRET_ENCRYPTION_KEY for credentials

Organization Management

Managing organizations, users, and invitations

Integrations & Adapters

Supported compute providers, vector databases, and guardrail providers

On this page

AuthenticationJWT-Based AuthTwo-Factor Authentication (2FA)API KeysAuthorization (RBAC)Built-in RolesPermissionsCustom RolesOrganizationsMulti-TenancyOrganization SwitchingInvitationsAudit LoggingView Audit LogsSecurity Best Practices