Stats
Actions
Tags
From mistral-pack
Configures Mistral AI enterprise RBAC via workspaces for team-scoped API keys, model restrictions, rate limits, and budgets. Includes bash API setup and TypeScript app enforcement.
How this skill is triggered — by the user, by Claude, or both
Slash command
/mistral-pack:mistral-enterprise-rbacThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Control access to Mistral AI at the organization level using La Plateforme workspace management: scoped API keys per team, model access restrictions, spending limits, key auditing, and automated rotation. Mistral organizes access via **Organizations > Workspaces > API Keys**, with rate limits set at the workspace level.
Control access to Mistral AI at the organization level using La Plateforme workspace management: scoped API keys per team, model access restrictions, spending limits, key auditing, and automated rotation. Mistral organizes access via Organizations > Workspaces > API Keys, with rate limits set at the workspace level.
| Workspace | Team | Models Allowed | RPM | Monthly Budget |
|---|---|---|---|---|
| dev-workspace | All developers | mistral-small, codestral | 60 | $50 |
| ml-workspace | ML engineers | All models | 200 | $500 |
| prod-workspace | CI/CD only | Per-service scoped | 500 | $2000 |
Create workspaces via La Plateforme console: Organization > Workspaces > Create.
Create keys with model restrictions and rate limits in the console, or via API:
set -euo pipefail
# Dev team — restricted to cost-effective models
curl -X POST https://api.mistral.ai/v1/api-keys \
-H "Authorization: Bearer $MISTRAL_ADMIN_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "dev-team-key",
"description": "Dev team — small models only",
"workspace_id": "ws_dev_xxx"
}'
# ML team — full model access
curl -X POST https://api.mistral.ai/v1/api-keys \
-H "Authorization: Bearer $MISTRAL_ADMIN_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "ml-team-key",
"description": "ML team — all models",
"workspace_id": "ws_ml_xxx"
}'
Enforce model access in your application layer:
const ROLE_PERMISSIONS: Record<string, {
allowedModels: string[];
maxTokensPerRequest: number;
dailyTokenBudget: number;
}> = {
analyst: {
allowedModels: ['mistral-small-latest', 'mistral-embed'],
maxTokensPerRequest: 500,
dailyTokenBudget: 100_000,
},
developer: {
allowedModels: ['mistral-small-latest', 'codestral-latest', 'mistral-embed'],
maxTokensPerRequest: 2000,
dailyTokenBudget: 500_000,
},
senior: {
allowedModels: ['mistral-small-latest', 'mistral-large-latest', 'codestral-latest', 'mistral-embed'],
maxTokensPerRequest: 4000,
dailyTokenBudget: 1_000_000,
},
admin: {
allowedModels: ['*'],
maxTokensPerRequest: 8000,
dailyTokenBudget: Infinity,
},
};
function authorizeRequest(role: string, model: string, estimatedTokens: number): boolean {
const perms = ROLE_PERMISSIONS[role];
if (!perms) return false;
const modelAllowed = perms.allowedModels.includes('*') || perms.allowedModels.includes(model);
const tokensAllowed = estimatedTokens <= perms.maxTokensPerRequest;
return modelAllowed && tokensAllowed;
}
Configure in La Plateforme console: Organization > Billing > Budget Alerts.
// Application-level budget enforcement
class SpendingGuard {
private hourlySpend = 0;
private hourStart = Date.now();
private readonly maxHourlyUsd: number;
constructor(maxHourlyUsd: number) {
this.maxHourlyUsd = maxHourlyUsd;
}
recordCost(costUsd: number): void {
if (Date.now() - this.hourStart > 3_600_000) {
this.hourlySpend = 0;
this.hourStart = Date.now();
}
this.hourlySpend += costUsd;
}
canSpend(estimatedCostUsd: number): boolean {
return this.hourlySpend + estimatedCostUsd <= this.maxHourlyUsd;
}
}
set -euo pipefail
# List all API keys with metadata
curl -s https://api.mistral.ai/v1/api-keys \
-H "Authorization: Bearer $MISTRAL_ADMIN_KEY" | \
jq '.data[] | {name, id, created_at, last_used_at}'
# Identify unused keys (not used in 30+ days)
curl -s https://api.mistral.ai/v1/api-keys \
-H "Authorization: Bearer $MISTRAL_ADMIN_KEY" | \
jq '.data[] | select(.last_used_at < (now - 2592000 | todate)) | {name, id, last_used_at}'
// Rotate keys on a 90-day schedule
async function rotateApiKey(oldKeyId: string, keyName: string): Promise<string> {
// 1. Create new key
const newKey = await createApiKey({ name: `${keyName}-${Date.now()}` });
// 2. Update consuming services (secret manager)
await updateSecret('mistral-api-key', newKey.apiKey);
// 3. Wait for propagation (services pick up new secret)
await new Promise(r => setTimeout(r, 60_000));
// 4. Verify new key works
const client = new Mistral({ apiKey: newKey.apiKey });
await client.models.list(); // throws if invalid
// 5. Revoke old key
await revokeApiKey(oldKeyId);
console.log(`Rotated key: ${keyName} (old: ${oldKeyId}, new: ${newKey.id})`);
return newKey.id;
}
| Issue | Cause | Solution |
|---|---|---|
401 Unauthorized | Key revoked or invalid | Regenerate on La Plateforme |
403 Model not allowed | Key restricted from model | Use key with broader scope |
429 Rate limit | Workspace RPM exceeded | Distribute across workspaces |
| Spending alert | Monthly budget near cap | Review per-key usage, restrict heavy consumers |
npx claudepluginhub jeremylongshore/claude-code-plugins-plus-skills --plugin mistral-packGuides Anthropic enterprise setup for workspaces, Console roles, API keys, and Python RBAC implementation enforcing model access and rate limits.
Implements Groq enterprise RBAC via API key projects, app-level model/token/budget/rate controls, and team configs using TypeScript patterns.
Implements multi-team API key management, model restrictions, and usage limits for Cohere enterprise API access control.