> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cekura.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Enterprise Setup
> Role-Based Access Control and API key management for enterprise deployments
export const CopyPageButton = () => {
if (typeof window !== 'undefined') {
setTimeout(function () {
if (document.getElementById('ck-tools')) return;
var anchor = document.getElementById('content-area') || document.querySelector('.mdx-content');
if (!anchor) return;
if (!document.getElementById('ck-style')) {
var s = document.createElement('style');
s.id = 'ck-style';
s.textContent = '#ck-tools{position:absolute;top:6px;right:0;z-index:100;font-family:inherit;}' + '.ck-row{display:inline-flex;align-items:stretch;border:1px solid rgba(0,0,0,0.15);border-radius:8px;overflow:hidden;background:#fff;}' + ':root.dark .ck-row{background:rgba(255,255,255,0.06);border-color:rgba(255,255,255,0.12);}' + '.ck-btn{padding:5px 12px;border:none;background:none;cursor:pointer;font-size:13px;font-weight:500;font-family:inherit;color:#374151;}' + ':root.dark .ck-btn{color:#d1d5db;}' + '.ck-btn:hover{background:rgba(0,0,0,0.04);}' + ':root.dark .ck-btn:hover{background:rgba(255,255,255,0.06);}' + '.ck-chevron{padding:5px 8px;border:none;background:none;cursor:pointer;font-size:14px;font-family:inherit;color:#374151;}' + ':root.dark .ck-chevron{color:#d1d5db;}' + '.ck-chevron:hover{background:rgba(0,0,0,0.04);}' + ':root.dark .ck-chevron:hover{background:rgba(255,255,255,0.06);}' + '.ck-divider{width:1px;background:rgba(0,0,0,0.12);flex-shrink:0;}' + ':root.dark .ck-divider{background:rgba(255,255,255,0.12);}' + '.ck-dd{position:absolute;top:calc(100% + 4px);right:0;min-width:180px;background:#fff;border:1px solid rgba(0,0,0,0.12);border-radius:8px;box-shadow:0 4px 12px rgba(0,0,0,0.1);padding:4px;display:none;z-index:200;}' + ':root.dark .ck-dd{background:#1f2937;border-color:rgba(255,255,255,0.1);box-shadow:0 4px 16px rgba(0,0,0,0.35);}' + '.ck-item{display:block;width:100%;padding:7px 12px;border:none;background:none;border-radius:6px;cursor:pointer;font-size:13px;font-family:inherit;text-align:left;color:#374151;}' + ':root.dark .ck-item{color:#d1d5db;}' + '.ck-item:hover{background:rgba(0,0,0,0.05);}' + ':root.dark .ck-item:hover{background:rgba(255,255,255,0.07);}';
document.head.appendChild(s);
}
var wrap = document.createElement('div');
wrap.id = 'ck-tools';
var row = document.createElement('div');
row.className = 'ck-row';
var mainBtn = document.createElement('button');
mainBtn.className = 'ck-btn';
mainBtn.textContent = 'Copy page';
var divider = document.createElement('span');
divider.className = 'ck-divider';
var chevron = document.createElement('button');
chevron.className = 'ck-chevron';
chevron.textContent = '▾';
var dd = document.createElement('div');
dd.className = 'ck-dd';
function closeDD() {
dd.style.display = 'none';
}
function openDD() {
dd.style.display = 'block';
}
chevron.onclick = function (e) {
e.stopPropagation();
if (dd.style.display === 'block') {
closeDD();
} else {
openDD();
}
};
document.addEventListener('click', function (e) {
if (!e.target.closest('#ck-tools')) {
closeDD();
}
});
document.addEventListener('keydown', function (e) {
if (e.key === 'Escape') {
closeDD();
}
});
function makeItem(label, fn) {
var b = document.createElement('button');
b.className = 'ck-item';
b.textContent = label;
b.onclick = function () {
fn();
closeDD();
};
return b;
}
function getMarkdown() {
var walk = function (node) {
if (!node) return '';
if (node.nodeType === 3) return node.textContent || '';
if (node.nodeType !== 1) return '';
var tag = node.tagName.toLowerCase();
var skip = ['script', 'style', 'svg', 'noscript', 'button', 'iframe'];
if (skip.indexOf(tag) !== -1) return '';
if (node.id === 'ck-tools') return '';
var ch = Array.from(node.childNodes).map(walk).join('');
if (tag === 'h1') return '\n# ' + ch.trim() + '\n\n';
if (tag === 'h2') return '\n## ' + ch.trim() + '\n\n';
if (tag === 'h3') return '\n### ' + ch.trim() + '\n\n';
if (tag === 'p') return '\n' + ch.trim() + '\n\n';
if (tag === 'pre') return '\n```\n' + node.textContent.trim() + '\n```\n\n';
if (tag === 'li') return '- ' + ch.trim() + '\n';
if (tag === 'code') return '`' + ch.trim() + '`';
return ch;
};
var content = document.querySelector('.mdx-content') || document.getElementById('content-area') || document.body;
return walk(content).replace(/\n\n\n+/g, '\n\n').trim();
}
function copyMd() {
var md = getMarkdown();
navigator.clipboard.writeText(md).then(function () {
mainBtn.textContent = 'Copied!';
setTimeout(function () {
mainBtn.textContent = 'Copy page';
}, 2000);
});
}
function viewMd() {
var md = getMarkdown();
var safe = md.split('&').join('&').split('<').join('<').split('>').join('>');
var html = '' + safe + '';
window.open(URL.createObjectURL(new Blob([html], {
type: 'text/html'
})), '_blank');
}
function openClaude() {
var prompt = 'Can you read this Cekura docs page ' + window.location.href + ' so I can ask you questions?';
window.open('https://claude.ai/new?q=' + encodeURIComponent(prompt), '_blank');
}
mainBtn.onclick = copyMd;
dd.appendChild(makeItem('Copy page', copyMd));
dd.appendChild(makeItem('View as Markdown', viewMd));
dd.appendChild(makeItem('Open in Claude', openClaude));
row.appendChild(mainBtn);
row.appendChild(divider);
row.appendChild(chevron);
wrap.appendChild(row);
wrap.appendChild(dd);
anchor.style.position = 'relative';
anchor.insertBefore(wrap, anchor.firstChild);
}, 50);
}
return null;
};
## Overview
Cekura provides comprehensive Role-Based Access Control (RBAC) to help enterprise teams manage permissions and secure access to your voice AI testing infrastructure. Control who can access what through both the dashboard UI and programmatic API keys.
## User Roles (Dashboard)
Cekura supports three membership types for team collaboration through the dashboard interface:
### Admin
Full administrative access to all features and settings.
**Permissions include:**
* Complete workspace management and configuration
* User management (invite, remove, and change member roles)
* Billing and subscription management
* Create, edit, and delete agents, evaluators, and metrics
* Access to all projects and test results
* Configure integrations and webhooks
* Manage API keys and developer settings
* View raw transcripts, recordings, and analytics
**Use cases:**
* Engineering leads and managers
* DevOps and infrastructure teams
* Account owners
### Member
Standard access for developers and engineers building and testing agents. Members only have access to **selected projects** assigned to them by Admins.
**Permissions include:**
* Create, edit, and delete agents, evaluators, and metrics within assigned projects
* Run tests and simulations on assigned projects
* View test results and analytics for assigned projects
* Access raw transcripts and recordings for assigned projects
* Configure test profiles and scenarios within assigned projects
**Cannot:**
* Access projects they haven't been assigned to
* Manage billing or subscriptions
* Invite or remove team members
* Change other users' permissions
* Delete the workspace
**Use cases:**
* Voice AI developers working on specific environments (dev, staging, production)
* Team-specific access (e.g., Team A only accesses their projects, Team B only accesses theirs)
* QA engineers testing specific product lines
* Contractors or external developers with limited scope
**Project-based isolation:** Use projects to separate environments (dev, staging, production) or teams. Assign Members only to the projects they need access to for enhanced security and organization.
### Viewer
Read-only access for stakeholders who need visibility without modification capabilities.
**Permissions include:**
* View agents, evaluators, and test results
* Access analytics and dashboards
* View scrubbed call history
* Generate reports
**Cannot:**
* Create or modify any resources
* Start tests or make calls
* Access raw transcripts or recordings
* Manage integrations or settings
* View billing information
**Use cases:**
* Product managers
* Business stakeholders
* Compliance and audit teams
## API Key Types
Cekura provides three types of API keys with different permission levels for programmatic access:
### Admin API Keys
Full API access equivalent to Admin dashboard permissions.
**Capabilities:**
* All CRUD operations across all resources
* Access to all projects in the organization
* User and organization management
* Billing and usage data retrieval
* Webhook configuration
* Complete observability data access
**Security considerations:**
* Treat as highly sensitive credentials
* Rotate regularly (recommended: every 90 days)
* Store in secure secret management systems
* Limit to backend services only
* Never commit to version control
**Example use cases:**
```bash theme={null}
# Access all projects
curl https://api.cekura.ai/v1/projects \
-H "Authorization: Bearer admin_api_key_xxx"
# Manage organization settings
curl https://api.cekura.ai/v1/organization \
-H "Authorization: Bearer admin_api_key_xxx"
```
### Project API Keys
Scoped access limited to specific projects for enhanced security.
**Capabilities:**
* Full access to assigned project resources only
* Create and manage agents, evaluators, metrics within the project
* Run tests and retrieve results for the project
* Send observability data for the project
* Access transcripts and analytics for the project
**Restrictions:**
* Cannot access other projects
* Cannot manage users or organization settings
* Cannot view billing information
* Cannot create or delete projects
**Security considerations:**
* Use for development and staging environments
* Assign minimum required project access
* Different keys per project for isolation
* Safe to use in CI/CD pipelines
**Example use cases:**
```bash theme={null}
# Send observability data for specific project
curl https://api.cekura.ai/v1/observability/observe \
-H "Authorization: Bearer project_api_key_xxx" \
-d '{"project_id": "proj_123", "transcript": [...]}'
# Run evaluator within project scope
curl https://api.cekura.ai/v1/evaluators/{evaluator_id}/run \
-H "Authorization: Bearer project_api_key_xxx"
```
### Read-Only API Keys
Limited to read operations only, ideal for analytics and monitoring.
**Capabilities:**
* Retrieve agents, evaluators, and metrics (GET only)
* Access test results and analytics
* Fetch call transcripts and recordings
* Query observability data
* Generate reports
**Restrictions:**
* No write, update, or delete operations
* Cannot start tests or make calls
* Cannot modify any configurations
* Cannot access billing or user management
**Security considerations:**
* Safe for frontend applications with proper precautions
* Suitable for monitoring and alerting systems
* Can be shared with external analytics tools
* Lower risk if accidentally exposed
**Example use cases:**
```bash theme={null}
# Retrieve test results for dashboards
curl https://api.cekura.ai/v1/results \
-H "Authorization: Bearer readonly_api_key_xxx"
# Fetch call analytics for monitoring
curl https://api.cekura.ai/v1/calls \
-H "Authorization: Bearer readonly_api_key_xxx"
```
## Best Practices
### Team Structure Recommendations
**Small teams (1-5 people):** Most users can be Members with 1-2 Admins. Create separate projects for dev, staging, and production environments.
**Medium teams (5-20 people):** Use project-based access - assign Members to only the projects they need. For example, create projects per environment (dev/staging/prod) or per team, and grant selective access.
**Large enterprises (20+ people):** Implement least-privilege access with granular project assignments. Use projects to isolate:
* Different environments (dev, staging, production)
* Different teams or business units
* Different product lines or clients
* Combine with Viewers for stakeholders and limited Admins for leads
### Project-Based Access Patterns
**Environment Separation:**
```
Projects: prod-voice-ai, staging-voice-ai, dev-voice-ai
- Production team Members: Access to prod-voice-ai only
- QA team Members: Access to staging-voice-ai and dev-voice-ai
- Dev team Members: Access to dev-voice-ai only
```
**Team Isolation:**
```
Projects: team-a-agents, team-b-agents, shared-resources
- Team A Members: Access to team-a-agents and shared-resources
- Team B Members: Access to team-b-agents and shared-resources
- Contractors: Access to specific team project only
```
**Client/Product Separation:**
```
Projects: client-acme, client-globex, internal-testing
- Client A team Members: Access to client-acme only
- Client B team Members: Access to client-globex only
- Internal QA: Access to internal-testing only
```
### API Key Management
1. **Key Rotation**
* Admin keys: Rotate every 90 days
* Project keys: Rotate every 180 days
* Read-only keys: Rotate annually or when team members leave
2. **Storage**
* Use environment variables for all API keys
* Store in secret management systems (AWS Secrets Manager, HashiCorp Vault, etc.)
* Never hardcode in application code
* Never commit to version control
3. **Access Patterns**
```bash theme={null}
# Production: Use Project API keys
CEKURA_API_KEY=project_api_key_xxx
# CI/CD: Use Project API keys scoped to test projects
CEKURA_TEST_API_KEY=project_api_key_yyy
# Monitoring: Use Read-Only keys
CEKURA_READONLY_KEY=readonly_api_key_zzz
```
4. **Monitoring and Auditing**
* Track API key usage through activity logs
* Set up alerts for unusual access patterns
* Review permissions quarterly
* Audit key access when team members change roles
### Security Checklist
* [ ] All Admin API keys stored in secure secret management
* [ ] Project API keys used for development and CI/CD
* [ ] Read-Only keys used for monitoring and analytics
* [ ] Regular key rotation schedule established
* [ ] Team members have minimum required permissions
* [ ] Viewers assigned for stakeholders without modification needs
* [ ] API key usage monitored and logged
* [ ] Keys revoked when team members leave
## Managing Access
### Adding Team Members
Go to your Cekura dashboard and click on **Settings** > **Team**.
Click **Invite Member** and enter their email address.
Select the appropriate role: Admin, Member, or Viewer based on their responsibilities.
The user will receive an email invitation to join your workspace.
### Creating API Keys
Access to **Settings > API Keys** requires the **Admin** role. Members and Viewers cannot view or manage API keys. If you do not have Admin access, ask an org admin to create an API key and share it with you.
Navigate to **Settings** > **API Keys** in the dashboard.
Click **Create API Key** and select the key type.
For Project API keys, select which projects should be accessible.
Copy the API key immediately - it will only be shown once. Store it in your secret management system.
API keys cannot be recovered if lost. If you lose an API key, you must generate a new one and update all systems using the old key.
## Migration Guide
### Upgrading from Single API Key
If you're currently using a single API key for all purposes, follow these steps to implement proper RBAC:
1. **Audit current usage** - Identify all systems and services using your current key
2. **Create scoped keys** - Generate Project API keys for each service/environment
3. **Update services** - Migrate each service to use its dedicated Project key
4. **Enable read-only keys** - Switch monitoring and analytics tools to read-only keys
5. **Rotate admin key** - Generate a new Admin key and update only necessary systems
6. **Revoke old key** - Once migration is complete, revoke the original key
## Support
Need help setting up RBAC for your organization? Contact our enterprise support team at [support@cekura.ai](mailto:support@cekura.ai) or visit our [support portal](https://support.cekura.ai).