Capability catalog (formerly RBAC)
An authorization model in which capabilities attach to roles, and roles attach to users and orgs. RateStack ships 12 operational + 7 provider capabilities, published at /v1/capabilities.
Operational capabilities cover loan, ratesheet, lock, audit, admin, integrations, security, comp, ami, and observability surfaces. Provider capabilities cover ratesheet publication, lock commit, and other partner-integration surfaces. The catalog is exposed at /v1/capabilities so partner integrators can author scoped clients without reverse-engineering.
The JWT carries an org_roles claim listing the operator's roles and any active TTL delegation grants. Org admins can shrink the set; they cannot expand it beyond the org type's default. Cross-tenant operations write actingAsOrgId on every audit row.