Permissions overview

Neon Auth has two different permission systems:

• Project permissions for managing Neon Auth as a feature in your Neon projects
• App/user permissions for controlling what your app's users can do within your application.

Project permissions

Who can add and manage Neon Auth in your Neon project

These permissions control who can configure Neon Auth itself within your Neon organization. They're based on your Neon organization roles (Admin, Member, Collaborator).

What they control:

• Adding or removing Neon Auth from your project
• Claiming ownership of the auth provider project (ejecting the project to Stack Auth)
• Generating SDK keys for your application
• Creating users from the Neon Auth UI

Permission Matrix

In a nutshell

• Admins can perform all Neon Auth operations including installation, configuration, and user management
• Members can create users but cannot modify Neon Auth settings
• Collaborators can create users but cannot modify Neon Auth settings

For more information about organization roles and permissions, see User roles and permissions.

App/user permissions

What your app's users can do within your application

These permissions control what your application's end users can do once they're authenticated. They're managed through your application code using Neon Auth's RBAC system.

What they control:

• Team-based permissions (e.g., "moderator", "read_secret_info")
• Global project permissions (e.g., "premium_access", "admin_dashboard")
• Hierarchical permission structures
• Server-side permission checks

For detailed information about implementing role-based access control for your application's users, see App/User RBAC Permissions.