docs(token_auth.md): add doc on rbac with JWTs

BerriAI · Jan 19, 2025 · 3d6684b · 3d6684b
1 parent 3b91a95
commit 3d6684b
Showing 1 changed file with 28 additions and 1 deletion.
diff --git a/docs/my-website/docs/proxy/token_auth.md b/docs/my-website/docs/proxy/token_auth.md
@@ -114,7 +114,7 @@ general_settings:
     admin_jwt_scope: "litellm-proxy-admin"
 ```
 
-## Advanced - Spend Tracking (End-Users / Internal Users / Team / Org)
+## Tracking End-Users / Internal Users / Team / Org
 
 Set the field in the jwt token, which corresponds to a litellm user / team / org.
 
@@ -156,6 +156,33 @@ scope: ["litellm-proxy-admin",...]
 scope: "litellm-proxy-admin ..."
 ```
 
+## Enforce Role-Based Access Control (RBAC)
+
+Reject a JWT token if it's valid but doesn't have the required scopes / fields.
+
+Only tokens which with valid Admin (`admin_jwt_scope`), User (`user_id_jwt_field`), Team (`team_id_jwt_field`) are allowed.
+
+```yaml
+general_settings:
+  master_key: sk-1234
+  enable_jwt_auth: True
+  litellm_jwtauth:
+    admin_jwt_scope: "litellm_proxy_endpoints_access"
+    admin_allowed_routes:
+      - openai_routes
+      - info_routes
+    public_key_ttl: 600
+    enforce_rbac: true # 👈 Enforce RBAC
+```
+
+Expected Scope in JWT: 
+
+```
+{
+  "scope": "litellm_proxy_endpoints_access"
+}
+```
+
 ## Advanced - Allowed Routes 
 
 Configure which routes a JWT can access via the config.