Scoped permissions and RBAC
API Subscriptions as Permissions
ComplianceGrid uses a subscription-based permission model. Each set of credentials is subscribed to specific API verticals (called "slugs"). A request to an endpoint your credentials aren't subscribed to returns a 403 subscription_required error.
Available API Verticals
| Slug | Domain | Example Endpoints |
|---|---|---|
| `export-compliance` | Export Compliance | `/v1/compliance/*` |
| `hs-code-lookup` | HS Code Search | `/v1/hs/*` |
| `aes-filing` | AES/EEI Filing | `/v1/aes/*` |
| `firearms-explosives` | Firearms & Explosives | `/v1/firearms/*` |
| `pharma-controlled` | Pharma & DEA | `/v1/pharma/*` |
| `financial-securities` | Financial & SEC | `/v1/financial/*` |
| `aviation-transport` | Aviation & FAA | `/v1/aviation/*` |
| `professional-business` | SAM.gov / Business | `/v1/business/*` |
| `legal-exclusions` | OIG Exclusions | `/v1/legal/*` |
| `maritime-port` | Maritime & CTPAT | `/v1/maritime/*` |
| `fcc-licensing` | FCC Licenses | `/v1/fcc/*` |
| `ai-assistant` | AI Chat | `/v1/ai/*` |
Managing Subscriptions
Subscriptions are managed in the Developer Portal under Dashboard → Developer → Subscriptions. You can enable or disable API verticals at any time. Changes take effect immediately for new tokens.
Organization-Level Access
If you're using Clerk Organizations, credentials are scoped to the organization. All members of the organization share the same API keys and subscriptions. When a user switches their active organization, the Developer Portal shows that organization's credentials.
Principle of Least Privilege
Only subscribe to the API verticals your application actually uses. This limits risk if credentials are compromised — an attacker with a key subscribed only to HS Code Lookup cannot access OFAC screening or financial data.
Was this article helpful?