Skip to main content
LibreChat implements a comprehensive role-based access control (RBAC) system that allows you to control access to features, resources, and administrative functions.

Overview

The permissions system controls:
  • Feature access (agents, prompts, bookmarks, etc.)
  • Resource sharing and visibility
  • Administrative capabilities
  • API access levels

Permission Types

User Permissions

Control what features users can access

Resource Permissions

Manage access to agents, prompts, and files

Admin Permissions

Administrative and system-level access

API Permissions

API access and rate limiting

Environment Variables

Configure permissions using environment variables in your .env file:

User Registration & Login

ALLOW_REGISTRATION
boolean
default:"true"
Allow new users to register accounts
ALLOW_UNVERIFIED_EMAIL_LOGIN
boolean
default:"false"
Allow users to log in without verifying their email
ALLOW_SOCIAL_LOGIN
boolean
default:"false"
Enable social login (Google, GitHub, etc.)

Feature Permissions

ALLOW_AGENTS
boolean
default:"true"
Allow users to create and use agents
ALLOW_PROMPTS
boolean
default:"true"
Allow users to create and save prompts
ALLOW_BOOKMARKS
boolean
default:"true"
Enable conversation bookmarking

Sharing Permissions

ALLOW_SHARED_LINKS
boolean
default:"true"
Allow users to create shared conversation links

YAML Configuration

For more granular control, use librechat.yaml:
librechat.yaml
interface:
  # Control feature visibility
  agents:
    use: true      # Users can use agents
    create: true   # Users can create agents
    share: false   # Users cannot share agents
    public: false  # No public agent marketplace
  
  prompts:
    use: true      # Users can use prompts
    create: true   # Users can create prompts
    share: true    # Users can share prompts
    public: false  # No public prompt library
  
  bookmarks: true
  multiConvo: true
  presets: true
  
  # People picker for sharing
  peoplePicker:
    enabled: true
    searchByEmail: true
    searchByUsername: true

Resource Access Control

LibreChat uses an Access Control List (ACL) system for resources like agents and prompts.

Permission Types

Agent permissions:
  • use - Can use the agent in conversations
  • execute - Can run agent actions
  • share - Can share agent with others
  • update - Can modify agent configuration
  • delete - Can delete the agent
Sharing levels:
  • Private (creator only)
  • Specific users
  • Specific groups
  • Organization-wide

Migration Scripts

LibreChat provides migration scripts for updating permissions on existing resources.

Agent Permissions Migration

Migrate existing agents to the new permission system:
1

Dry Run

Preview changes without applying them:
npm run migrate:agent-permissions:dry-run
2

Full Migration

Apply permission changes to all agents:
npm run migrate:agent-permissions
3

Batch Migration

Process agents in batches for large datasets:
npm run migrate:agent-permissions:batch

Prompt Permissions Migration

Migrate existing prompts to the new permission system:
1

Dry Run

npm run migrate:prompt-permissions:dry-run
2

Full Migration

npm run migrate:prompt-permissions
3

Batch Migration

npm run migrate:prompt-permissions:batch
Always run the dry-run command first to preview changes before applying migrations in production.

Admin Roles

LibreChat supports different admin roles with varying permission levels.

Default Roles

Full system access:
  • Manage all users
  • Configure system settings
  • Access all conversations and resources
  • Manage permissions and roles
  • View system logs and analytics
User and resource management:
  • Create and manage users
  • Ban/unban users
  • View user statistics
  • Manage shared resources
Content moderation:
  • Review flagged content
  • Ban abusive users
  • Delete inappropriate content
Standard user permissions:
  • Create conversations
  • Use agents and prompts (if enabled)
  • Manage own resources

API Access Control

Control API access with environment variables:
CHECK_BALANCE
boolean
default:"false"
Enable token balance checking for API requests
LIMIT_CONCURRENT_MESSAGES
boolean
default:"true"
Limit concurrent API requests per user
CONCURRENT_MESSAGE_MAX
number
default:"2"
Maximum concurrent messages per user

Rate Limiting

Configure rate limits in librechat.yaml:
librechat.yaml
rateLimits:
  # File uploads
  fileUploads:
    ipMax: 100
    ipWindowInMinutes: 60
    userMax: 50
    userWindowInMinutes: 60
  
  # Conversations
  conversationsImport:
    ipMax: 100
    ipWindowInMinutes: 60
    userMax: 50
    userWindowInMinutes: 60

Best Practices

1

Principle of Least Privilege

Grant users only the permissions they need. Start restrictive and expand as needed.
2

Regular Permission Audits

Periodically review user permissions and resource access to ensure they’re still appropriate.
3

Use Groups for Organization

Organize users into groups (departments, teams, etc.) for easier permission management.
4

Test Permission Changes

Always test permission changes in a development environment before applying to production.
5

Document Custom Roles

Keep documentation of any custom roles or permission configurations you create.

Troubleshooting

  • Verify sharing is enabled in librechat.yaml
  • Check resource-specific permissions
  • Ensure users have use permission for the resource type
  • Verify the resource is shared with the correct users/groups
  • Run dry-run first to identify issues
  • Use batch migration for large datasets
  • Check MongoDB connection and permissions
  • Review error logs for specific failures
  • Verify admin role is properly configured
  • Check environment variables for feature flags
  • Ensure database has been migrated to latest schema

Build docs developers (and LLMs) love

Get started for freeTalk to us