Unable to create Project API key even with Org Owner access

[skuchipu]

Hi Team,

I'm using self-hosted helm deployment with chart version 1.4.1 and integrated langfuse with Azure sso for authentication , when users logged into the project and trying to create "Project API key" it fails with permission error even when the user is Owner to the Org ,

[inkeep-ai-assistant[bot]]

This appears to be a permissions issue with your Azure SSO configuration in your self-hosted Langfuse deployment. Based on the documentation, this could be related to how user roles are being mapped from Azure AD to Langfuse.

For Azure AD authentication, you need to ensure the following environment variables are properly configured (1):

AUTH_AZURE_AD_CLIENT_ID
AUTH_AZURE_AD_CLIENT_SECRET
AUTH_AZURE_AD_TENANT_ID
AUTH_AZURE_ALLOW_ACCOUNT_LINKING=true (optional)

(1)

The OAuth redirect URL should be set to /api/auth/callback/azure-ad (1).

One potential issue mentioned in the documentation is that Azure SSO can return "No email found in user object" errors (1). This could affect how user permissions are established in Langfuse.

Additionally, there's a specific discussion thread about "Can RBAC Role Assignment be done using Azure AD SSO token?" which suggests this is a known area of complexity (1).

To troubleshoot this issue:

1. Verify that your Azure AD configuration includes the correct redirect URL
2. Check that the user's email is properly being passed from Azure AD to Langfuse
3. Ensure the user has the correct project-level permissions, not just organization-level permissions
4. Review your Azure AD token to confirm it contains the necessary user information

The documentation indicates that SSO setup can be complex, and if you encounter issues with custom SSO configurations, the Langfuse team provides commercial support for SSO setup (1).

📚 Sources:

1. Deployment Guide (v2)

---

Have another question? Just tag @inkeep.

[skuchipu]

@inkeep. Azure authentication and access works fine without any issue .except while creating Project API key failing with permission error .

[inkeep-ai-assistant[bot]]

Based on the RBAC documentation, there might be a distinction between organization-level and project-level permissions that's causing this issue (1).

In Langfuse, there are different role scopes:

• Organization-level scopes
• Project-level scopes (1)

Even though you have Owner access at the organization level, creating Project API keys requires specific project-level permissions (1). The documentation shows that users can only assign roles that are lower or equal to their own role (1).

For project management, the documentation indicates that any user with the projects:create permission can create a new project within a Langfuse organization (1). However, API key creation might require additional specific permissions at the project level.

Since you're using a self-hosted deployment with Azure SSO, you may need to check:

1. Whether the user has the appropriate project-level role (not just organization-level Owner)
2. If there are specific permissions required for API key creation that aren't being granted through the SSO mapping

The documentation mentions that in the organization settings, you can add users via their email address and assign them roles, and that any user with the members:CUD permission can change user roles (1).

For self-hosted Enterprise Edition deployments, there's also an Organization Management API that allows programmatic management of organization-level API keys (2), but this requires a license key and ADMIN_API_KEY configuration (2).

If the issue persists, you might want to verify the exact project-level permissions for the user experiencing the issue, as organization Owner permissions may not automatically grant all project-level API key creation rights.

📚 Sources:

1. Role-Based Access Controls in Langfuse - Langfuse
2. Organization Management API

---

Have another question? Just tag @inkeep.

[skuchipu]

@inkeep. as am using Opensource self-hosted helm deployment which does not offer project based roles , as per documentation org roles are inherited for open source

[inkeep-ai-assistant[bot]]

You're correct about the open-source limitations. Based on the GitHub issue discussion, this is actually a known limitation in the open-source version of Langfuse (1).

The issue you're experiencing is that project-level roles and permissions are only available in the Enterprise edition (with a license key), not in the OSS plan (1). This is why Organization Owner status doesn't automatically grant project-level permissions for actions like creating Project API keys (1).

According to the GitHub issue, this is "an intentional limitation in the current open-source/self-hosted (OSS) version of Langfuse" (1). The UI shows project roles as "N/A on plan" and prevents assignment—even for Organization Owners (1).

One team member confirmed they were able to reproduce creating annotation queues with an Organization Owner in Langfuse OSS, suggesting some organization-level permissions do work (1). However, the project-level role assignment remains one of the features that's restricted to the enterprise plan (1).

The documentation confirms that project-level roles are an enterprise feature (2). For the open-source version, you're limited to organization-level roles, and there's no built-in way to override this restriction (1).

If you need project-level API key creation capabilities, you would either need to:

1. Upgrade to the Enterprise edition with a license key
2. Make code changes to alter the entitlement checks (as mentioned in the GitHub issue) (1)

📚 Sources:

1. bug: Organization Owner does not have permission to perform actions inside their Organization
2. Role-Based Access Controls in Langfuse - Langfuse

---

Have another question? Just tag @inkeep.

[marcklingen]

Which version are you using? It seems unlikely that this person has owner access to the organization and the project yet still cannot edit the API keys. I cannot reproduce this

[grinyael86]

In my case, I have owner permission on the organization and project - self-hosted - not enterprise

[marcklingen]

Which version do you run?

[nzuchna]

Hey there,
I am encountering a similar issue. We are running a self-hosted, non enterprise instance. I have organization-level admin rights and can access api keys in all projects but one (same "Access Denied" message as above). Another admin has confirmed the same issue. I tried logging out and in again.

Any ideas or pointers? Many thanks in advance.

[jannikmaierhoefer]

Hi @nzuchna, which version of Langfuse are you running?

[nzuchna]

Hi @jannikmaierhoefer,
sorry for the late reply. We are currently running v3.160.0 and the fix for us was leaving the organisation and get added again.