From mistral-pack
Configures Mistral AI enterprise RBAC via workspaces for team-scoped API keys, model restrictions, rate limits, and budgets. Includes bash API setup and TypeScript app enforcement.
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin mistral-packThis skill is limited to using the following tools:
Control access to Mistral AI at the organization level using La Plateforme workspace management: scoped API keys per team, model access restrictions, spending limits, key auditing, and automated rotation. Mistral organizes access via **Organizations > Workspaces > API Keys**, with rate limits set at the workspace level.
Guides Anthropic enterprise setup for workspaces, Console roles, API keys, and Python RBAC implementation enforcing model access and rate limits.
Implements Groq enterprise RBAC via API key projects, app-level model/token/budget/rate controls, and team configs using TypeScript patterns.
Implements multi-team API key management, model restrictions, and usage limits for Cohere enterprise API access control.
Share bugs, ideas, or general feedback.
Control access to Mistral AI at the organization level using La Plateforme workspace management: scoped API keys per team, model access restrictions, spending limits, key auditing, and automated rotation. Mistral organizes access via Organizations > Workspaces > API Keys, with rate limits set at the workspace level.
| Workspace | Team | Models Allowed | RPM | Monthly Budget |
|---|---|---|---|---|
| dev-workspace | All developers | mistral-small, codestral | 60 | $50 |
| ml-workspace | ML engineers | All models | 200 | $500 |
| prod-workspace | CI/CD only | Per-service scoped | 500 | $2000 |
Create workspaces via La Plateforme console: Organization > Workspaces > Create.
Create keys with model restrictions and rate limits in the console, or via API:
set -euo pipefail
# Dev team — restricted to cost-effective models
curl -X POST https://api.mistral.ai/v1/api-keys \
-H "Authorization: Bearer $MISTRAL_ADMIN_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "dev-team-key",
"description": "Dev team — small models only",
"workspace_id": "ws_dev_xxx"
}'
# ML team — full model access
curl -X POST https://api.mistral.ai/v1/api-keys \
-H "Authorization: Bearer $MISTRAL_ADMIN_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "ml-team-key",
"description": "ML team — all models",
"workspace_id": "ws_ml_xxx"
}'
Enforce model access in your application layer:
const ROLE_PERMISSIONS: Record<string, {
allowedModels: string[];
maxTokensPerRequest: number;
dailyTokenBudget: number;
}> = {
analyst: {
allowedModels: ['mistral-small-latest', 'mistral-embed'],
maxTokensPerRequest: 500,
dailyTokenBudget: 100_000,
},
developer: {
allowedModels: ['mistral-small-latest', 'codestral-latest', 'mistral-embed'],
maxTokensPerRequest: 2000,
dailyTokenBudget: 500_000,
},
senior: {
allowedModels: ['mistral-small-latest', 'mistral-large-latest', 'codestral-latest', 'mistral-embed'],
maxTokensPerRequest: 4000,
dailyTokenBudget: 1_000_000,
},
admin: {
allowedModels: ['*'],
maxTokensPerRequest: 8000,
dailyTokenBudget: Infinity,
},
};
function authorizeRequest(role: string, model: string, estimatedTokens: number): boolean {
const perms = ROLE_PERMISSIONS[role];
if (!perms) return false;
const modelAllowed = perms.allowedModels.includes('*') || perms.allowedModels.includes(model);
const tokensAllowed = estimatedTokens <= perms.maxTokensPerRequest;
return modelAllowed && tokensAllowed;
}
Configure in La Plateforme console: Organization > Billing > Budget Alerts.
// Application-level budget enforcement
class SpendingGuard {
private hourlySpend = 0;
private hourStart = Date.now();
private readonly maxHourlyUsd: number;
constructor(maxHourlyUsd: number) {
this.maxHourlyUsd = maxHourlyUsd;
}
recordCost(costUsd: number): void {
if (Date.now() - this.hourStart > 3_600_000) {
this.hourlySpend = 0;
this.hourStart = Date.now();
}
this.hourlySpend += costUsd;
}
canSpend(estimatedCostUsd: number): boolean {
return this.hourlySpend + estimatedCostUsd <= this.maxHourlyUsd;
}
}
set -euo pipefail
# List all API keys with metadata
curl -s https://api.mistral.ai/v1/api-keys \
-H "Authorization: Bearer $MISTRAL_ADMIN_KEY" | \
jq '.data[] | {name, id, created_at, last_used_at}'
# Identify unused keys (not used in 30+ days)
curl -s https://api.mistral.ai/v1/api-keys \
-H "Authorization: Bearer $MISTRAL_ADMIN_KEY" | \
jq '.data[] | select(.last_used_at < (now - 2592000 | todate)) | {name, id, last_used_at}'
// Rotate keys on a 90-day schedule
async function rotateApiKey(oldKeyId: string, keyName: string): Promise<string> {
// 1. Create new key
const newKey = await createApiKey({ name: `${keyName}-${Date.now()}` });
// 2. Update consuming services (secret manager)
await updateSecret('mistral-api-key', newKey.apiKey);
// 3. Wait for propagation (services pick up new secret)
await new Promise(r => setTimeout(r, 60_000));
// 4. Verify new key works
const client = new Mistral({ apiKey: newKey.apiKey });
await client.models.list(); // throws if invalid
// 5. Revoke old key
await revokeApiKey(oldKeyId);
console.log(`Rotated key: ${keyName} (old: ${oldKeyId}, new: ${newKey.id})`);
return newKey.id;
}
| Issue | Cause | Solution |
|---|---|---|
401 Unauthorized | Key revoked or invalid | Regenerate on La Plateforme |
403 Model not allowed | Key restricted from model | Use key with broader scope |
429 Rate limit | Workspace RPM exceeded | Distribute across workspaces |
| Spending alert | Monthly budget near cap | Review per-key usage, restrict heavy consumers |