From b1131fcfba76dba277eed4c55f37a1fecaf5bcdc Mon Sep 17 00:00:00 2001
From: Stanislav Bychkov <stanislb@netapp.com>
Date: Mon, 8 Dec 2025 04:29:47 +0100
Subject: [PATCH] =?UTF-8?q?feat:=20Role=20based=20Cadence-web.=20-=20UI=20?=
 =?UTF-8?q?RBAC=20aligned=20with=20Cadence=20JWT=20auth:=20tokens=20come?=
 =?UTF-8?q?=20from=20cookie=20(cadence-authorization)=20or=20env=20(CADENC?=
 =?UTF-8?q?E=5FWEB=5FJWT=5FTOKEN),=20are=20forwarded=20on=20all=20gRPC=20c?=
 =?UTF-8?q?alls,=20and=20claims/groups=20drive=20what=20the=20UI=20shows/e?=
 =?UTF-8?q?nables.=20-=20Auth=20endpoints:=20POST=20/api/auth/token=20to?=
 =?UTF-8?q?=20set=20the=20HttpOnly=20cookie,=20DELETE=20/api/auth/token=20?=
 =?UTF-8?q?to=20clear=20it,=20GET=20/api/auth/me=20to=20expose=20public=20?=
 =?UTF-8?q?auth=20context.=20-=20User=20context=20middleware=20populates?=
 =?UTF-8?q?=20gRPC=20metadata=20and=20user=20info=20for=20all=20route=20ha?=
 =?UTF-8?q?ndlers.=20-=20Domain=20visibility:=20getAllDomains=20filters=20?=
 =?UTF-8?q?by=20READ=5FGROUPS/WRITE=5FGROUPS.=20Redirects=20respect=20the?=
 =?UTF-8?q?=20filtered=20list.=20-=20Workflow/domain=20actions:=20start/si?=
 =?UTF-8?q?gnal/terminate/etc.=20are=20disabled=20with=20=E2=80=9CNot=20au?=
 =?UTF-8?q?thorized=E2=80=9D=20when=20the=20token=20lacks=20write=20access?=
 =?UTF-8?q?;=20-=20Login/logout=20UI:=20navbar=20shows=20JWT=20paste=20mod?=
 =?UTF-8?q?al=20when=20unauthenticated.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stanislav Bychkov <stanislb@netapp.com>
---
 README.md                                     |   2 +
 src/app/api/auth/me/route.ts                  |  11 +
 src/app/api/auth/token/route.ts               |  40 ++
 src/components/app-nav-bar/app-nav-bar.tsx    | 132 ++++++-
 .../auth-token-modal/auth-token-modal.tsx     |  85 ++++
 src/config/dynamic/dynamic.config.ts          |  10 +
 .../use-domain-access/use-domain-access.ts    |  55 +++
 src/hooks/use-user-info/use-user-info.ts      |  17 +
 .../__tests__/start-workflow.node.ts          |   3 +
 src/utils/auth/__tests__/auth-context.test.ts | 370 ++++++++++++++++++
 src/utils/auth/auth-context.ts                | 134 +++++++
 src/utils/auth/auth-shared.ts                 | 107 +++++
 .../__fixtures__/resolved-config-values.ts    |   2 +
 ...ute-handlers-default-middlewares.config.ts |   4 +-
 .../middlewares/__tests__/user-info.test.ts   |  94 +++++
 .../middlewares/user-info.ts                  |  24 +-
 .../middlewares/user-info.types.ts            |   6 +-
 ...domain-page-start-workflow-button.test.tsx |  14 +
 .../domain-page-start-workflow-button.tsx     |  16 +-
 .../__tests__/domain-workflows.test.tsx       |  50 ++-
 .../domain-workflows/domain-workflows.tsx     |  20 +-
 .../is-cluster-advanced-visibility-enabled.ts |   3 +-
 src/views/domains-page/domains-page.tsx       |  10 +-
 .../domains-page/helpers/get-all-domains.ts   |  21 +-
 .../__tests__/redirect-domain.node.ts         |  23 +-
 src/views/redirect-domain/redirect-domain.tsx |   5 +-
 .../use-domain-description.ts                 |  11 +
 .../__tests__/workflow-actions.test.tsx       |  21 +
 .../__tests__/workflow-actions-menu.test.tsx  |  14 +
 .../workflow-actions-menu.tsx                 |   5 +-
 .../workflow-actions-menu.types.ts            |   1 +
 .../workflow-actions/workflow-actions.tsx     |  10 +-
 32 files changed, 1258 insertions(+), 62 deletions(-)
 create mode 100644 src/app/api/auth/me/route.ts
 create mode 100644 src/app/api/auth/token/route.ts
 create mode 100644 src/components/auth-token-modal/auth-token-modal.tsx
 create mode 100644 src/hooks/use-domain-access/use-domain-access.ts
 create mode 100644 src/hooks/use-user-info/use-user-info.ts
 create mode 100644 src/utils/auth/__tests__/auth-context.test.ts
 create mode 100644 src/utils/auth/auth-context.ts
 create mode 100644 src/utils/auth/auth-shared.ts
 create mode 100644 src/utils/route-handlers-middleware/middlewares/__tests__/user-info.test.ts
 create mode 100644 src/views/shared/hooks/use-domain-description/use-domain-description.ts

diff --git a/README.md b/README.md
index 970716ff2..c5e2d17dd 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,8 @@ Set these environment variables if you need to change their defaults
 | CADENCE_WEB_PORT             | HTTP port to serve on                                                         | 8088             |
 | CADENCE_WEB_HOSTNAME         | Host name to serve on                                                         | 0.0.0.0          |
 | CADENCE_ADMIN_SECURITY_TOKEN | Admin token for accessing admin methods                                       | ''               |
+| CADENCE_WEB_RBAC_ENABLED     | Enables RBAC-aware UI (login/logout).                                         | false            |
+| CADENCE_WEB_JWT_TOKEN        | Static Cadence JWT forwarded when no request token exists                     | ''               |
 | CADENCE_GRPC_TLS_CA_FILE     | Path to root CA certificate file for enabling one-way TLS on gRPC connections | ''               |
 | CADENCE_WEB_SERVICE_NAME     | Name of the web service used as GRPC caller and OTEL resource name            | cadence-web      |
 
diff --git a/src/app/api/auth/me/route.ts b/src/app/api/auth/me/route.ts
new file mode 100644
index 000000000..caba92529
--- /dev/null
+++ b/src/app/api/auth/me/route.ts
@@ -0,0 +1,11 @@
+import { NextResponse, type NextRequest } from 'next/server';
+
+import {
+  getPublicAuthContext,
+  resolveAuthContext,
+} from '@/utils/auth/auth-context';
+
+export async function GET(request: NextRequest) {
+  const authContext = await resolveAuthContext(request.cookies);
+  return NextResponse.json(getPublicAuthContext(authContext));
+}
diff --git a/src/app/api/auth/token/route.ts b/src/app/api/auth/token/route.ts
new file mode 100644
index 000000000..d2a980bee
--- /dev/null
+++ b/src/app/api/auth/token/route.ts
@@ -0,0 +1,40 @@
+import { NextResponse, type NextRequest } from 'next/server';
+
+import { CADENCE_AUTH_COOKIE_NAME } from '@/utils/auth/auth-context';
+
+const COOKIE_OPTIONS = {
+  httpOnly: true,
+  secure: process.env.NODE_ENV !== 'development',
+  sameSite: 'lax' as const,
+  path: '/',
+};
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.json();
+    if (!body?.token || typeof body.token !== 'string') {
+      return NextResponse.json(
+        { message: 'A valid token is required' },
+        { status: 400 }
+      );
+    }
+
+    const response = NextResponse.json({ ok: true });
+    response.cookies.set(CADENCE_AUTH_COOKIE_NAME, body.token, COOKIE_OPTIONS);
+    return response;
+  } catch {
+    return NextResponse.json(
+      { message: 'Invalid request body' },
+      { status: 400 }
+    );
+  }
+}
+
+export async function DELETE() {
+  const response = NextResponse.json({ ok: true });
+  response.cookies.set(CADENCE_AUTH_COOKIE_NAME, '', {
+    ...COOKIE_OPTIONS,
+    maxAge: 0,
+  });
+  return response;
+}
diff --git a/src/components/app-nav-bar/app-nav-bar.tsx b/src/components/app-nav-bar/app-nav-bar.tsx
index c30c221e3..72f846a93 100644
--- a/src/components/app-nav-bar/app-nav-bar.tsx
+++ b/src/components/app-nav-bar/app-nav-bar.tsx
@@ -1,29 +1,129 @@
 'use client';
+import React, { useMemo, useState } from 'react';
+
 import { AppNavBar as BaseAppNavBar } from 'baseui/app-nav-bar';
+import { useSnackbar } from 'baseui/snackbar';
 import NextLink from 'next/link';
+import { useRouter } from 'next/navigation';
 
 import useStyletronClasses from '@/hooks/use-styletron-classes';
+import useUserInfo from '@/hooks/use-user-info/use-user-info';
+import request from '@/utils/request';
+
+import AuthTokenModal from '../auth-token-modal/auth-token-modal';
 
 import { cssStyles } from './app-nav-bar.styles';
 
+const LOGIN_ITEM = 'login';
+const LOGOUT_ITEM = 'logout';
+
 export default function AppNavBar() {
   const { cls } = useStyletronClasses(cssStyles);
+  const router = useRouter();
+  const { enqueue } = useSnackbar();
+  const [isModalOpen, setIsModalOpen] = useState(false);
+
+  const { data: authInfo, isLoading: isAuthLoading, refetch } = useUserInfo();
+  const userItems = useMemo(() => {
+    if (!authInfo?.rbacEnabled) return undefined;
+    if (!authInfo.isAuthenticated) {
+      return [{ label: 'Login with JWT', info: LOGIN_ITEM }];
+    }
+    return [
+      { label: 'Switch token', info: LOGIN_ITEM },
+      { label: 'Logout', info: LOGOUT_ITEM },
+    ];
+  }, [authInfo]);
+
+  const username = useMemo(() => {
+    if (!authInfo?.rbacEnabled) {
+      return undefined;
+    }
+    if (isAuthLoading || !authInfo) {
+      return 'Checking access...';
+    }
+    return authInfo.isAuthenticated
+      ? authInfo.userName || 'Authenticated user'
+      : 'Authenticate';
+  }, [authInfo, isAuthLoading]);
+
+  const usernameSubtitle =
+    authInfo?.rbacEnabled && authInfo.isAuthenticated
+      ? authInfo.isAdmin
+        ? 'Admin'
+        : 'Authenticated'
+      : authInfo?.rbacEnabled
+        ? 'Paste a Cadence JWT'
+        : undefined;
+
+  const saveToken = async (token: string) => {
+    try {
+      await request('/api/auth/token', {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({ token }),
+      });
+      await refetch();
+      enqueue({ message: 'Token saved' });
+      setIsModalOpen(false);
+      router.refresh();
+    } catch (e) {
+      const message =
+        e instanceof Error ? e.message : 'Failed to save authentication token';
+      enqueue({ message });
+      throw e;
+    }
+  };
+
+  const logout = async () => {
+    try {
+      await request('/api/auth/token', { method: 'DELETE' });
+      enqueue({ message: 'Signed out' });
+    } catch (e) {
+      const message = e instanceof Error ? e.message : 'Failed to sign out';
+      enqueue({ message });
+    } finally {
+      setIsModalOpen(false);
+      await refetch();
+      router.refresh();
+    }
+  };
+
   return (
-    <BaseAppNavBar
-      title={
-        <NextLink href="/">
-          <svg
-            className={cls.titleIcon}
-            viewBox="0 0 92 24"
-            xmlns="http://www.w3.org/2000/svg"
-          >
-            <path
-              d="m0.66 12.278c0-0.44 0.029333-0.8653 0.088-1.276 0.073333-0.4253 0.176-0.836 0.308-1.232s0.29333-0.7773 0.484-1.144 0.40333-0.71133 0.638-1.034c0.24933-0.33733 0.51333-0.65267 0.792-0.946 0.29333-0.29333 0.60867-0.55733 0.946-0.792 0.33733-0.24933 0.69667-0.46934 1.078-0.66001 0.38133-0.19066 0.77733-0.35199 1.188-0.48399 0.42533-0.132 0.858-0.22733 1.298-0.286 0.45467-0.07333 0.91667-0.11 1.386-0.11 1.3787 0 2.64 0.308 3.784 0.924s2.09 1.4153 2.838 2.398l-2.31 1.694c-0.4987-0.704-1.1293-1.2613-1.892-1.672-0.7627-0.42533-1.5547-0.638-2.376-0.638-0.36667 0-0.726 0.03667-1.078 0.11-0.33733 0.05867-0.66733 0.154-0.99 0.286-0.308 0.11733-0.60133 0.264-0.88 0.44s-0.53533 0.3813-0.77 0.616-0.44733 0.49129-0.638 0.76999-0.352 0.57931-0.484 0.90201-0.23467 0.66-0.308 1.012c-0.05867 0.352-0.088 0.726-0.088 1.122s0.03667 0.7773 0.11 1.144c0.07333 0.352 0.176 0.6893 0.308 1.012s0.29333 0.6233 0.484 0.902 0.40333 0.5353 0.638 0.77 0.49133 0.44 0.77 0.616 0.572 0.33 0.88 0.462c0.32267 0.1173 0.65267 0.2127 0.99 0.286 0.33733 0.0587 0.68933 0.088 1.056 0.088 0.88 0 1.7013-0.198 2.464-0.594 0.7773-0.4107 1.4007-0.9753 1.87-1.694l2.31 1.694c-0.7187 0.9827-1.65 1.782-2.794 2.398s-2.42 0.924-3.828 0.924c-0.484 0-0.95333-0.0367-1.408-0.11-0.45467-0.0587-0.89467-0.154-1.32-0.286-0.41067-0.132-0.80667-0.2933-1.188-0.484s-0.748-0.4033-1.1-0.638c-0.33733-0.2347-0.65267-0.4987-0.946-0.792-0.27867-0.2933-0.54267-0.6013-0.792-0.924-0.24933-0.3373-0.46933-0.6893-0.66-1.056-0.176-0.3667-0.33-0.748-0.462-1.144-0.132-0.4107-0.23467-0.8287-0.308-1.254-0.058667-0.4253-0.088-0.8653-0.088-1.32zm15.83 4.532c0-1.012 0.33-1.804 0.99-2.376 0.6746-0.5867 1.6133-0.924 2.816-1.012l3.344-0.242v-0.44c0-0.5573-0.1834-0.9973-0.55-1.32-0.352-0.3227-0.8654-0.484-1.54-0.484-0.5134 0-1.0194 0.088-1.518 0.264-0.4987 0.1613-0.9974 0.4107-1.496 0.748l-1.21-2.046c0.66-0.484 1.3713-0.85801 2.134-1.122 0.7626-0.264 1.5766-0.39599 2.442-0.39599 1.364 0 2.4566 0.3667 3.278 1.1 0.836 0.7333 1.254 1.7013 1.254 2.904v4.466c0 0.2053 0.0513 0.3667 0.154 0.484 0.1173 0.1173 0.2786 0.176 0.484 0.176h0.594v2.486h-1.342c-0.5427 0-1.0194-0.1173-1.43-0.352-0.4107-0.2493-0.7114-0.5793-0.902-0.99-0.396 0.4987-0.902 0.8947-1.518 1.188s-1.298 0.44-2.046 0.44c-1.1294 0-2.068-0.33-2.816-0.99s-1.122-1.4887-1.122-2.486zm2.75-0.022c0 0.396 0.1686 0.7113 0.506 0.946 0.3373 0.2347 0.7773 0.352 1.32 0.352 0.7186 0 1.3273-0.198 1.826-0.594 0.4986-0.4107 0.748-0.902 0.748-1.474v-0.726l-2.948 0.264c-0.484 0.044-0.8507 0.1687-1.1 0.374-0.2347 0.2053-0.352 0.4913-0.352 0.858zm21.739 3.212h-2.86v-1.056c-0.4987 0.4253-1.0633 0.7627-1.694 1.012-0.6307 0.2347-1.2907 0.352-1.98 0.352-0.3813 0-0.748-0.0367-1.1-0.11-0.352-0.0587-0.6967-0.1467-1.034-0.264s-0.6527-0.264-0.946-0.44-0.572-0.374-0.836-0.594-0.5133-0.462-0.748-0.726c-0.22-0.264-0.418-0.5427-0.594-0.836s-0.3227-0.6013-0.44-0.924c-0.1173-0.3373-0.2127-0.6747-0.286-1.012-0.0587-0.352-0.088-0.7113-0.088-1.078s0.0293-0.726 0.088-1.078c0.0733-0.352 0.1687-0.6893 0.286-1.012s0.264-0.6307 0.44-0.924 0.374-0.572 0.594-0.836c0.2347-0.264 0.484-0.506 0.748-0.726s0.5427-0.418 0.836-0.594 0.6087-0.32271 0.946-0.44001 0.682-0.20529 1.034-0.26399c0.352-0.0733 0.7187-0.11 1.1-0.11 0.6893 0 1.342 0.12469 1.958 0.37399 0.6307 0.2347 1.1953 0.55731 1.694 0.96801v-5.082h2.882v15.4zm-2.838-5.676c0-0.968-0.3373-1.782-1.012-2.442-0.6747-0.6747-1.4887-1.012-2.442-1.012-0.9387 0-1.7527 0.3373-2.442 1.012-0.6747 0.66-1.012 1.474-1.012 2.442 0 0.9533 0.3373 1.7747 1.012 2.464 0.6893 0.6747 1.5033 1.012 2.442 1.012 0.9533 0 1.7673-0.3373 2.442-1.012 0.6747-0.6893 1.012-1.5107 1.012-2.464zm4.4117-0.022c0-0.352 0.0293-0.6967 0.088-1.034s0.1467-0.6673 0.264-0.99 0.2567-0.6307 0.418-0.924c0.176-0.2933 0.3667-0.572 0.572-0.836 0.22-0.264 0.4547-0.506 0.704-0.726 0.264-0.22 0.5353-0.418 0.814-0.594 0.2933-0.176 0.6013-0.3227 0.924-0.44 0.3373-0.132 0.682-0.2273 1.034-0.286 0.352-0.0733 0.7113-0.11 1.078-0.11 0.4253 0 0.836 0.0367 1.232 0.11s0.77 0.1833 1.122 0.33 0.682 0.33 0.99 0.55c0.308 0.2053 0.5867 0.4473 0.836 0.726 0.264 0.264 0.4987 0.5573 0.704 0.88s0.374 0.6673 0.506 1.034c0.1467 0.3667 0.2567 0.7553 0.33 1.166s0.11 0.836 0.11 1.276v0.836h-8.778c0.1907 0.7333 0.572 1.342 1.144 1.826s1.254 0.726 2.046 0.726c0.6013 0 1.144-0.11 1.628-0.33 0.4987-0.2347 0.9533-0.6233 1.364-1.166l2.002 1.496c-0.572 0.7773-1.2833 1.386-2.134 1.826-0.836 0.4253-1.782 0.638-2.838 0.638-0.3813 0-0.7553-0.0293-1.122-0.088s-0.7187-0.1467-1.056-0.264-0.66-0.2567-0.968-0.418c-0.308-0.176-0.594-0.3667-0.858-0.572-0.264-0.22-0.5133-0.4547-0.748-0.704-0.22-0.264-0.418-0.5427-0.594-0.836s-0.3227-0.6013-0.44-0.924c-0.1173-0.3373-0.2127-0.6893-0.286-1.056-0.0587-0.3667-0.088-0.7407-0.088-1.122zm5.83-3.476c-0.6747 0-1.2687 0.2053-1.782 0.616-0.5133 0.396-0.8653 0.9387-1.056 1.628h5.83c-0.2053-0.704-0.5867-1.254-1.144-1.65-0.5427-0.396-1.1587-0.594-1.848-0.594zm17.994 1.936v7.238h-2.882v-6.666c0-0.7333-0.22-1.32-0.66-1.76-0.4254-0.4547-0.99-0.682-1.694-0.682-0.6894 0-1.2614 0.22-1.716 0.66-0.44 0.44-0.66 1.034-0.66 1.782v6.666h-2.882v-11.374h2.882v0.968c0.396-0.4107 0.858-0.72601 1.386-0.94601 0.5426-0.22 1.122-0.32999 1.738-0.32999 0.3373 0 0.6526 0.0293 0.946 0.088 0.308 0.0587 0.6013 0.1467 0.88 0.264 0.2786 0.1027 0.5353 0.2347 0.77 0.396 0.2346 0.1613 0.4473 0.3447 0.638 0.55 0.2053 0.1907 0.3813 0.4107 0.528 0.66 0.1613 0.2347 0.2933 0.484 0.396 0.748 0.1026 0.264 0.1833 0.5427 0.242 0.836 0.0586 0.2933 0.088 0.594 0.088 0.902zm4.4524 1.54c0 0.9533 0.33 1.7673 0.99 2.442 0.6747 0.6747 1.474 1.012 2.398 1.012 0.6013 0 1.144-0.132 1.628-0.396 0.4987-0.264 0.9093-0.6233 1.232-1.078l2.046 1.496c-0.572 0.748-1.2613 1.3567-2.068 1.826-0.792 0.4547-1.738 0.682-2.838 0.682-0.396 0-0.7773-0.0367-1.144-0.11-0.3667-0.0587-0.726-0.1467-1.078-0.264-0.3373-0.1173-0.66-0.264-0.968-0.44s-0.6013-0.374-0.88-0.594c-0.264-0.22-0.5133-0.462-0.748-0.726-0.22-0.264-0.418-0.5427-0.594-0.836s-0.33-0.6013-0.462-0.924c-0.1173-0.3227-0.2127-0.66-0.286-1.012-0.0587-0.352-0.088-0.7113-0.088-1.078s0.0293-0.726 0.088-1.078c0.0733-0.352 0.1687-0.6893 0.286-1.012 0.132-0.3227 0.286-0.6307 0.462-0.924s0.374-0.5647 0.594-0.814c0.2347-0.264 0.484-0.506 0.748-0.726 0.2787-0.22 0.572-0.418 0.88-0.594s0.6307-0.32271 0.968-0.44001c0.352-0.1173 0.7113-0.20529 1.078-0.26399 0.3667-0.0733 0.748-0.11 1.144-0.11 1.1 0 2.046 0.23469 2.838 0.70399 0.8067 0.4547 1.496 1.056 2.068 1.804l-2.046 1.496c-0.3227-0.4547-0.7333-0.814-1.232-1.078-0.484-0.264-1.0267-0.396-1.628-0.396-0.924 0-1.7233 0.3373-2.398 1.012-0.66 0.66-0.99 1.4667-0.99 2.42zm8.6556 0c0-0.352 0.0294-0.6967 0.088-1.034 0.0587-0.3373 0.1467-0.6673 0.264-0.99 0.1174-0.3227 0.2567-0.6307 0.418-0.924 0.176-0.2933 0.3667-0.572 0.572-0.836 0.22-0.264 0.4547-0.506 0.704-0.726 0.264-0.22 0.5354-0.418 0.814-0.594 0.2934-0.176 0.6014-0.3227 0.924-0.44 0.3374-0.132 0.682-0.2273 1.034-0.286 0.352-0.0733 0.7114-0.11 1.078-0.11 0.4254 0 0.836 0.0367 1.232 0.11s0.77 0.1833 1.122 0.33 0.682 0.33 0.99 0.55c0.308 0.2053 0.5867 0.4473 0.836 0.726 0.264 0.264 0.4987 0.5573 0.704 0.88 0.2054 0.3227 0.374 0.6673 0.506 1.034 0.1467 0.3667 0.2567 0.7553 0.33 1.166 0.0734 0.4107 0.11 0.836 0.11 1.276v0.836h-8.778c0.1907 0.7333 0.572 1.342 1.144 1.826s1.254 0.726 2.046 0.726c0.6014 0 1.144-0.11 1.628-0.33 0.4987-0.2347 0.9534-0.6233 1.364-1.166l2.002 1.496c-0.572 0.7773-1.2833 1.386-2.134 1.826-0.836 0.4253-1.782 0.638-2.838 0.638-0.3813 0-0.7553-0.0293-1.122-0.088-0.3666-0.0587-0.7186-0.1467-1.056-0.264-0.3373-0.1173-0.66-0.2567-0.968-0.418-0.308-0.176-0.594-0.3667-0.858-0.572-0.264-0.22-0.5133-0.4547-0.748-0.704-0.22-0.264-0.418-0.5427-0.594-0.836s-0.3226-0.6013-0.44-0.924c-0.1173-0.3373-0.2126-0.6893-0.286-1.056-0.0586-0.3667-0.088-0.7407-0.088-1.122zm5.83-3.476c-0.6746 0-1.2686 0.2053-1.782 0.616-0.5133 0.396-0.8653 0.9387-1.056 1.628h5.83c-0.2053-0.704-0.5866-1.254-1.144-1.65-0.5426-0.396-1.1586-0.594-1.848-0.594z"
-              fill="#000"
-            />
-          </svg>
-        </NextLink>
-      }
-    />
+    <>
+      <BaseAppNavBar
+        title={
+          <NextLink href="/">
+            <svg
+              className={cls.titleIcon}
+              viewBox="0 0 92 24"
+              xmlns="http://www.w3.org/2000/svg"
+            >
+              <path
+                d="m0.66 12.278c0-0.44 0.029333-0.8653 0.088-1.276 0.073333-0.4253 0.176-0.836 0.308-1.232s0.29333-0.7773 0.484-1.144 0.40333-0.71133 0.638-1.034c0.24933-0.33733 0.51333-0.65267 0.792-0.946 0.29333-0.29333 0.60867-0.55733 0.946-0.792 0.33733-0.24933 0.69667-0.46934 1.078-0.66001 0.38133-0.19066 0.77733-0.35199 1.188-0.48399 0.42533-0.132 0.858-0.22733 1.298-0.286 0.45467-0.07333 0.91667-0.11 1.386-0.11 1.3787 0 2.64 0.308 3.784 0.924s2.09 1.4153 2.838 2.398l-2.31 1.694c-0.4987-0.704-1.1293-1.2613-1.892-1.672-0.7627-0.42533-1.5547-0.638-2.376-0.638-0.36667 0-0.726 0.03667-1.078 0.11-0.33733 0.05867-0.66733 0.154-0.99 0.286-0.308 0.11733-0.60133 0.264-0.88 0.44s-0.53533 0.3813-0.77 0.616-0.44733 0.49129-0.638 0.76999-0.352 0.57931-0.484 0.90201-0.23467 0.66-0.308 1.012c-0.05867 0.352-0.088 0.726-0.088 1.122s0.03667 0.7773 0.11 1.144c0.07333 0.352 0.176 0.6893 0.308 1.012s0.29333 0.6233 0.484 0.902 0.40333 0.5353 0.638 0.77 0.49133 0.44 0.77 0.616 0.572 0.33 0.88 0.462c0.32267 0.1173 0.65267 0.2127 0.99 0.286 0.33733 0.0587 0.68933 0.088 1.056 0.088 0.88 0 1.7013-0.198 2.464-0.594 0.7773-0.4107 1.4007-0.9753 1.87-1.694l2.31 1.694c-0.7187 0.9827-1.65 1.782-2.794 2.398s-2.42 0.924-3.828 0.924c-0.484 0-0.95333-0.0367-1.408-0.11-0.45467-0.0587-0.89467-0.154-1.32-0.286-0.41067-0.132-0.80667-0.2933-1.188-0.484s-0.748-0.4033-1.1-0.638c-0.33733-0.2347-0.65267-0.4987-0.946-0.792-0.27867-0.2933-0.54267-0.6013-0.792-0.924-0.24933-0.3373-0.46933-0.6893-0.66-1.056-0.176-0.3667-0.33-0.748-0.462-1.144-0.132-0.4107-0.23467-0.8287-0.308-1.254-0.058667-0.4253-0.088-0.8653-0.088-1.32zm15.83 4.532c0-1.012 0.33-1.804 0.99-2.376 0.6746-0.5867 1.6133-0.924 2.816-1.012l3.344-0.242v-0.44c0-0.5573-0.1834-0.9973-0.55-1.32-0.352-0.3227-0.8654-0.484-1.54-0.484-0.5134 0-1.0194 0.088-1.518 0.264-0.4987 0.1613-0.9974 0.4107-1.496 0.748l-1.21-2.046c0.66-0.484 1.3713-0.85801 2.134-1.122 0.7626-0.264 1.5766-0.39599 2.442-0.39599 1.364 0 2.4566 0.3667 3.278 1.1 0.836 0.7333 1.254 1.7013 1.254 2.904v4.466c0 0.2053 0.0513 0.3667 0.154 0.484 0.1173 0.1173 0.2786 0.176 0.484 0.176h0.594v2.486h-1.342c-0.5427 0-1.0194-0.1173-1.43-0.352-0.4107-0.2493-0.7114-0.5793-0.902-0.99-0.396 0.4987-0.902 0.8947-1.518 1.188s-1.298 0.44-2.046 0.44c-1.1294 0-2.068-0.33-2.816-0.99s-1.122-1.4887-1.122-2.486zm2.75-0.022c0 0.396 0.1686 0.7113 0.506 0.946 0.3373 0.2347 0.7773 0.352 1.32 0.352 0.7186 0 1.3273-0.198 1.826-0.594 0.4986-0.4107 0.748-0.902 0.748-1.474v-0.726l-2.948 0.264c-0.484 0.044-0.8507 0.1687-1.1 0.374-0.2347 0.2053-0.352 0.4913-0.352 0.858zm21.739 3.212h-2.86v-1.056c-0.4987 0.4253-1.0633 0.7627-1.694 1.012-0.6307 0.2347-1.2907 0.352-1.98 0.352-0.3813 0-0.748-0.0367-1.1-0.11-0.352-0.0587-0.6967-0.1467-1.034-0.264s-0.6527-0.264-0.946-0.44-0.572-0.374-0.836-0.594-0.5133-0.462-0.748-0.726c-0.22-0.264-0.418-0.5427-0.594-0.836s-0.3227-0.6013-0.44-0.924c-0.1173-0.3373-0.2127-0.6747-0.286-1.012-0.0587-0.352-0.088-0.7113-0.088-1.078s0.0293-0.726 0.088-1.078c0.0733-0.352 0.1687-0.6893 0.286-1.012s0.264-0.6307 0.44-0.924 0.374-0.572 0.594-0.836c0.2347-0.264 0.484-0.506 0.748-0.726s0.5427-0.418 0.836-0.594 0.6087-0.32271 0.946-0.44001 0.682-0.20529 1.034-0.26399c0.352-0.0733 0.7187-0.11 1.1-0.11 0.6893 0 1.342 0.12469 1.958 0.37399 0.6307 0.2347 1.1953 0.55731 1.694 0.96801v-5.082h2.882v15.4zm-2.838-5.676c0-0.968-0.3373-1.782-1.012-2.442-0.6747-0.6747-1.4887-1.012-2.442-1.012-0.9387 0-1.7527 0.3373-2.442 1.012-0.6747 0.66-1.012 1.474-1.012 2.442 0 0.9533 0.3373 1.7747 1.012 2.464 0.6893 0.6747 1.5033 1.012 2.442 1.012 0.9533 0 1.7673-0.3373 2.442-1.012 0.6747-0.6893 1.012-1.5107 1.012-2.464zm4.4117-0.022c0-0.352 0.0293-0.6967 0.088-1.034s0.1467-0.6673 0.264-0.99 0.2567-0.6307 0.418-0.924c0.176-0.2933 0.3667-0.572 0.572-0.836 0.22-0.264 0.4547-0.506 0.704-0.726 0.264-0.22 0.5353-0.418 0.814-0.594 0.2933-0.176 0.6013-0.3227 0.924-0.44 0.3373-0.132 0.682-0.2273 1.034-0.286 0.352-0.0733 0.7113-0.11 1.078-0.11 0.4253 0 0.836 0.0367 1.232 0.11s0.77 0.1833 1.122 0.33 0.682 0.33 0.99 0.55c0.308 0.2053 0.5867 0.4473 0.836 0.726 0.264 0.264 0.4987 0.5573 0.704 0.88s0.374 0.6673 0.506 1.034c0.1467 0.3667 0.2567 0.7553 0.33 1.166s0.11 0.836 0.11 1.276v0.836h-8.778c0.1907 0.7333 0.572 1.342 1.144 1.826s1.254 0.726 2.046 0.726c0.6013 0 1.144-0.11 1.628-0.33 0.4987-0.2347 0.9533-0.6233 1.364-1.166l2.002 1.496c-0.572 0.7773-1.2833 1.386-2.134 1.826-0.836 0.4253-1.782 0.638-2.838 0.638-0.3813 0-0.7553-0.0293-1.122-0.088s-0.7187-0.1467-1.056-0.264-0.66-0.2567-0.968-0.418c-0.308-0.176-0.594-0.3667-0.858-0.572-0.264-0.22-0.5133-0.4547-0.748-0.704-0.22-0.264-0.418-0.5427-0.594-0.836s-0.3227-0.6013-0.44-0.924c-0.1173-0.3373-0.2127-0.6893-0.286-1.056-0.0587-0.3667-0.088-0.7407-0.088-1.122zm5.83-3.476c-0.6747 0-1.2687 0.2053-1.782 0.616-0.5133 0.396-0.8653 0.9387-1.056 1.628h5.83c-0.2053-0.704-0.5867-1.254-1.144-1.65-0.5427-0.396-1.1587-0.594-1.848-0.594zm17.994 1.936v7.238h-2.882v-6.666c0-0.7333-0.22-1.32-0.66-1.76-0.4254-0.4547-0.99-0.682-1.694-0.682-0.6894 0-1.2614 0.22-1.716 0.66-0.44 0.44-0.66 1.034-0.66 1.782v6.666h-2.882v-11.374h2.882v0.968c0.396-0.4107 0.858-0.72601 1.386-0.94601 0.5426-0.22 1.122-0.32999 1.738-0.32999 0.3373 0 0.6526 0.0293 0.946 0.088 0.308 0.0587 0.6013 0.1467 0.88 0.264 0.2786 0.1027 0.5353 0.2347 0.77 0.396 0.2346 0.1613 0.4473 0.3447 0.638 0.55 0.2053 0.1907 0.3813 0.4107 0.528 0.66 0.1613 0.2347 0.2933 0.484 0.396 0.748 0.1026 0.264 0.1833 0.5427 0.242 0.836 0.0586 0.2933 0.088 0.594 0.088 0.902zm4.4524 1.54c0 0.9533 0.33 1.7673 0.99 2.442 0.6747 0.6747 1.474 1.012 2.398 1.012 0.6013 0 1.144-0.132 1.628-0.396 0.4987-0.264 0.9093-0.6233 1.232-1.078l2.046 1.496c-0.572 0.748-1.2613 1.3567-2.068 1.826-0.792 0.4547-1.738 0.682-2.838 0.682-0.396 0-0.7773-0.0367-1.144-0.11-0.3667-0.0587-0.726-0.1467-1.078-0.264-0.3373-0.1173-0.66-0.264-0.968-0.44s-0.6013-0.374-0.88-0.594c-0.264-0.22-0.5133-0.462-0.748-0.726-0.22-0.264-0.418-0.5427-0.594-0.836s-0.33-0.6013-0.462-0.924c-0.1173-0.3227-0.2127-0.66-0.286-1.012-0.0587-0.352-0.088-0.7113-0.088-1.078s0.0293-0.726 0.088-1.078c0.0733-0.352 0.1687-0.6893 0.286-1.012 0.132-0.3227 0.286-0.6307 0.462-0.924s0.374-0.5647 0.594-0.814c0.2347-0.264 0.484-0.506 0.748-0.726 0.2787-0.22 0.572-0.418 0.88-0.594s0.6307-0.32271 0.968-0.44001c0.352-0.1173 0.7113-0.20529 1.078-0.26399 0.3667-0.0733 0.748-0.11 1.144-0.11 1.1 0 2.046 0.23469 2.838 0.70399 0.8067 0.4547 1.496 1.056 2.068 1.804l-2.046 1.496c-0.3227-0.4547-0.7333-0.814-1.232-1.078-0.484-0.264-1.0267-0.396-1.628-0.396-0.924 0-1.7233 0.3373-2.398 1.012-0.66 0.66-0.99 1.4667-0.99 2.42zm8.6556 0c0-0.352 0.0294-0.6967 0.088-1.034 0.0587-0.3373 0.1467-0.6673 0.264-0.99 0.1174-0.3227 0.2567-0.6307 0.418-0.924 0.176-0.2933 0.3667-0.572 0.572-0.836 0.22-0.264 0.4547-0.506 0.704-0.726 0.264-0.22 0.5354-0.418 0.814-0.594 0.2934-0.176 0.6014-0.3227 0.924-0.44 0.3374-0.132 0.682-0.2273 1.034-0.286 0.352-0.0733 0.7114-0.11 1.078-0.11 0.4254 0 0.836 0.0367 1.232 0.11s0.77 0.1833 1.122 0.33 0.682 0.33 0.99 0.55c0.308 0.2053 0.5867 0.4473 0.836 0.726 0.264 0.264 0.4987 0.5573 0.704 0.88 0.2054 0.3227 0.374 0.6673 0.506 1.034 0.1467 0.3667 0.2567 0.7553 0.33 1.166 0.0734 0.4107 0.11 0.836 0.11 1.276v0.836h-8.778c0.1907 0.7333 0.572 1.342 1.144 1.826s1.254 0.726 2.046 0.726c0.6014 0 1.144-0.11 1.628-0.33 0.4987-0.2347 0.9534-0.6233 1.364-1.166l2.002 1.496c-0.572 0.7773-1.2833 1.386-2.134 1.826-0.836 0.4253-1.782 0.638-2.838 0.638-0.3813 0-0.7553-0.0293-1.122-0.088-0.3666-0.0587-0.7186-0.1467-1.056-0.264-0.3373-0.1173-0.66-0.2567-0.968-0.418-0.308-0.176-0.594-0.3667-0.858-0.572-0.264-0.22-0.5133-0.4547-0.748-0.704-0.22-0.264-0.418-0.5427-0.594-0.836s-0.3226-0.6013-0.44-0.924c-0.1173-0.3373-0.2126-0.6893-0.286-1.056-0.0586-0.3667-0.088-0.7407-0.088-1.122zm5.83-3.476c-0.6746 0-1.2686 0.2053-1.782 0.616-0.5133 0.396-0.8653 0.9387-1.056 1.628h5.83c-0.2053-0.704-0.5866-1.254-1.144-1.65-0.5426-0.396-1.1586-0.594-1.848-0.594z"
+                fill="#000"
+              />
+            </svg>
+          </NextLink>
+        }
+        username={userItems ? username : undefined}
+        usernameSubtitle={userItems ? usernameSubtitle : undefined}
+        userItems={userItems}
+        onUserItemSelect={(item) => {
+          if (item.info === LOGIN_ITEM) {
+            setIsModalOpen(true);
+          } else if (item.info === LOGOUT_ITEM) {
+            void logout();
+          }
+        }}
+      />
+      {authInfo?.rbacEnabled && (
+        <AuthTokenModal
+          isOpen={isModalOpen}
+          onClose={() => setIsModalOpen(false)}
+          onSubmit={saveToken}
+        />
+      )}
+    </>
   );
 }
diff --git a/src/components/auth-token-modal/auth-token-modal.tsx b/src/components/auth-token-modal/auth-token-modal.tsx
new file mode 100644
index 000000000..de3e65519
--- /dev/null
+++ b/src/components/auth-token-modal/auth-token-modal.tsx
@@ -0,0 +1,85 @@
+'use client';
+import React, { useState } from 'react';
+
+import { FormControl } from 'baseui/form-control';
+import {
+  Modal,
+  ModalBody,
+  ModalButton,
+  ModalFooter,
+  ModalHeader,
+} from 'baseui/modal';
+import { Textarea } from 'baseui/textarea';
+
+type Props = {
+  isOpen: boolean;
+  onClose: () => void;
+  onSubmit: (token: string) => Promise<void> | void;
+};
+
+export default function AuthTokenModal({ isOpen, onClose, onSubmit }: Props) {
+  const [token, setToken] = useState('');
+  const [isSubmitting, setIsSubmitting] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+
+  const handleSubmit = async () => {
+    if (!token.trim()) {
+      setError('Please paste a JWT token first');
+      return;
+    }
+
+    setIsSubmitting(true);
+    setError(null);
+    try {
+      await onSubmit(token.trim());
+      setToken('');
+    } catch (e) {
+      setError(
+        e instanceof Error ? e.message : 'Failed to save authentication token'
+      );
+    } finally {
+      setIsSubmitting(false);
+    }
+  };
+
+  return (
+    <Modal
+      size="default"
+      onClose={onClose}
+      isOpen={isOpen}
+      closeable={!isSubmitting}
+      autoFocus
+    >
+      <ModalHeader>Authenticate with JWT</ModalHeader>
+      <ModalBody>
+        <FormControl
+          label="Cadence JWT"
+          caption="Paste a Cadence-compatible JWT issued by your identity provider."
+          error={error || null}
+        >
+          <Textarea
+            value={token}
+            onChange={(event) =>
+              setToken((event?.target as HTMLTextAreaElement)?.value || '')
+            }
+            clearOnEscape
+            disabled={isSubmitting}
+            rows={6}
+          />
+        </FormControl>
+      </ModalBody>
+      <ModalFooter>
+        <ModalButton kind="tertiary" onClick={onClose} disabled={isSubmitting}>
+          Cancel
+        </ModalButton>
+        <ModalButton
+          onClick={handleSubmit}
+          isLoading={isSubmitting}
+          data-testid="auth-token-submit"
+        >
+          Save token
+        </ModalButton>
+      </ModalFooter>
+    </Modal>
+  );
+}
diff --git a/src/config/dynamic/dynamic.config.ts b/src/config/dynamic/dynamic.config.ts
index 9c308be70..c795d7e59 100644
--- a/src/config/dynamic/dynamic.config.ts
+++ b/src/config/dynamic/dynamic.config.ts
@@ -26,6 +26,8 @@ import workflowDiagnosticsEnabled from './resolvers/workflow-diagnostics-enabled
 const dynamicConfigs: {
   CADENCE_WEB_PORT: ConfigEnvDefinition;
   ADMIN_SECURITY_TOKEN: ConfigEnvDefinition;
+  CADENCE_WEB_RBAC_ENABLED: ConfigEnvDefinition;
+  CADENCE_WEB_JWT_TOKEN: ConfigEnvDefinition;
   CLUSTERS: ConfigSyncResolverDefinition<
     undefined,
     ClustersConfigs,
@@ -89,6 +91,14 @@ const dynamicConfigs: {
     env: 'CADENCE_ADMIN_SECURITY_TOKEN',
     default: '',
   },
+  CADENCE_WEB_RBAC_ENABLED: {
+    env: 'CADENCE_WEB_RBAC_ENABLED',
+    default: 'false',
+  },
+  CADENCE_WEB_JWT_TOKEN: {
+    env: 'CADENCE_WEB_JWT_TOKEN',
+    default: process.env.CADENCE_WEB_RBAC_TOKEN || '',
+  },
   CLUSTERS: {
     resolver: clusters,
     evaluateOn: 'serverStart',
diff --git a/src/hooks/use-domain-access/use-domain-access.ts b/src/hooks/use-domain-access/use-domain-access.ts
new file mode 100644
index 000000000..9f48a829e
--- /dev/null
+++ b/src/hooks/use-domain-access/use-domain-access.ts
@@ -0,0 +1,55 @@
+'use client';
+import { useMemo } from 'react';
+
+import { useQuery } from '@tanstack/react-query';
+
+import { getDomainAccessForUser } from '@/utils/auth/auth-shared';
+import getDomainDescriptionQueryOptions from '@/views/shared/hooks/use-domain-description/get-domain-description-query-options';
+import { type UseDomainDescriptionParams } from '@/views/shared/hooks/use-domain-description/use-domain-description.types';
+
+import useUserInfo from '../use-user-info/use-user-info';
+
+export default function useDomainAccess(params: UseDomainDescriptionParams) {
+  const userInfoQuery = useUserInfo();
+  const shouldLoadDomain = Boolean(userInfoQuery.data);
+
+  const domainQuery = useQuery({
+    ...getDomainDescriptionQueryOptions(params),
+    enabled: shouldLoadDomain,
+  });
+
+  const access = useMemo(() => {
+    if (userInfoQuery.isError) {
+      return { canRead: false, canWrite: false };
+    }
+
+    if (!userInfoQuery.data) {
+      return undefined;
+    }
+
+    if (domainQuery.data) {
+      return getDomainAccessForUser(domainQuery.data, userInfoQuery.data);
+    }
+
+    if (domainQuery.isError) {
+      return { canRead: false, canWrite: false };
+    }
+
+    return undefined;
+  }, [
+    domainQuery.data,
+    domainQuery.isError,
+    userInfoQuery.data,
+    userInfoQuery.isError,
+  ]);
+
+  const isLoading =
+    userInfoQuery.isLoading || (shouldLoadDomain && domainQuery.isLoading);
+
+  return {
+    access,
+    isLoading,
+    isError: userInfoQuery.isError || domainQuery.isError,
+    userInfoQuery,
+  };
+}
diff --git a/src/hooks/use-user-info/use-user-info.ts b/src/hooks/use-user-info/use-user-info.ts
new file mode 100644
index 000000000..54d65e994
--- /dev/null
+++ b/src/hooks/use-user-info/use-user-info.ts
@@ -0,0 +1,17 @@
+'use client';
+import { useQuery } from '@tanstack/react-query';
+
+import { type PublicAuthContext } from '@/utils/auth/auth-shared';
+import request from '@/utils/request';
+import { type RequestError } from '@/utils/request/request-error';
+
+export default function useUserInfo() {
+  return useQuery<PublicAuthContext, RequestError>({
+    queryKey: ['auth', 'me'],
+    queryFn: async () => {
+      const res = await request('/api/auth/me', { method: 'GET' });
+      return res.json();
+    },
+    staleTime: 30_000,
+  });
+}
diff --git a/src/route-handlers/start-workflow/__tests__/start-workflow.node.ts b/src/route-handlers/start-workflow/__tests__/start-workflow.node.ts
index 3d7a6b306..50e40e234 100644
--- a/src/route-handlers/start-workflow/__tests__/start-workflow.node.ts
+++ b/src/route-handlers/start-workflow/__tests__/start-workflow.node.ts
@@ -308,6 +308,9 @@ async function setup({
     },
     userInfo: {
       id: 'test-user-id',
+      rbacEnabled: false,
+      isAdmin: true,
+      groups: [],
     },
   };
 
diff --git a/src/utils/auth/__tests__/auth-context.test.ts b/src/utils/auth/__tests__/auth-context.test.ts
new file mode 100644
index 000000000..dee64dbf4
--- /dev/null
+++ b/src/utils/auth/__tests__/auth-context.test.ts
@@ -0,0 +1,370 @@
+import { type Domain } from '@/__generated__/proto-ts/uber/cadence/api/v1/Domain';
+import {
+  CADENCE_AUTH_COOKIE_NAME,
+  decodeCadenceJwtClaims,
+  getDomainAccessForUser,
+  getPublicAuthContext,
+  getGrpcMetadataFromAuth,
+  resolveAuthContext,
+} from '@/utils/auth/auth-context';
+import getConfigValue from '@/utils/config/get-config-value';
+
+jest.mock('@/utils/config/get-config-value');
+
+const mockGetConfigValue = getConfigValue as jest.MockedFunction<
+  typeof getConfigValue
+>;
+
+const buildToken = (claims: Record<string, unknown>) => {
+  const payload = Buffer.from(JSON.stringify(claims)).toString('base64url');
+  return ['header', payload, 'signature'].join('.');
+};
+
+describe('auth-context utilities', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe(resolveAuthContext.name, () => {
+    it('returns unauthenticated context when RBAC is disabled', async () => {
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'false';
+        return '';
+      });
+
+      const authContext = await resolveAuthContext();
+
+      expect(authContext).toMatchObject({
+        rbacEnabled: false,
+        isAdmin: false,
+        token: undefined,
+        groups: [],
+      });
+    });
+
+    it('prefers cookie token when RBAC is enabled', async () => {
+      const token = buildToken({
+        name: 'cookie-user',
+        groups: ['worker'],
+        Admin: true,
+      });
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
+        if (key === 'CADENCE_WEB_JWT_TOKEN') return 'env-token';
+        return '';
+      });
+
+      const authContext = await resolveAuthContext({
+        get: (name: string) =>
+          name === CADENCE_AUTH_COOKIE_NAME ? { value: token } : undefined,
+      });
+
+      expect(authContext).toMatchObject({
+        rbacEnabled: true,
+        isAdmin: true,
+        token,
+        tokenSource: 'cookie',
+        groups: ['worker'],
+        userName: 'cookie-user',
+      });
+    });
+
+    it('falls back to env token when cookie is missing', async () => {
+      const envToken = buildToken({
+        sub: 'env-user',
+        groups: ['reader'],
+      });
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
+        if (key === 'CADENCE_WEB_JWT_TOKEN') return envToken;
+        return '';
+      });
+
+      const authContext = await resolveAuthContext({
+        get: () => undefined,
+      });
+
+      expect(authContext).toMatchObject({
+        rbacEnabled: true,
+        token: envToken,
+        tokenSource: 'env',
+        groups: ['reader'],
+        isAdmin: false,
+        userName: 'env-user',
+      });
+    });
+
+    it('handles capitalized Groups claim with comma-separated string', async () => {
+      const token = buildToken({
+        sub: 'reader',
+        Groups: 'readers, auditors',
+        Admin: false,
+      });
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
+        if (key === 'CADENCE_WEB_JWT_TOKEN') return token;
+        return '';
+      });
+
+      const authContext = await resolveAuthContext();
+
+      expect(authContext.groups).toEqual(['readers', 'auditors']);
+      expect(authContext.isAdmin).toBe(false);
+    });
+
+    it('still forwards env token when RBAC is disabled', async () => {
+      const token = buildToken({
+        sub: 'legacy-admin',
+        Admin: true,
+      });
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'false';
+        if (key === 'CADENCE_WEB_JWT_TOKEN') return token;
+        return '';
+      });
+
+      const authContext = await resolveAuthContext();
+
+      expect(authContext.token).toBe(token);
+      expect(authContext.isAdmin).toBe(true);
+    });
+  });
+
+  describe(decodeCadenceJwtClaims.name, () => {
+    it('returns undefined for invalid tokens', () => {
+      expect(decodeCadenceJwtClaims('invalid.token')).toBeUndefined();
+    });
+
+    it('decodes valid payloads', () => {
+      const claims = { name: 'ben', groups: ['payer'], Admin: true };
+      const token = buildToken(claims);
+
+      expect(decodeCadenceJwtClaims(token)).toMatchObject(claims);
+    });
+  });
+
+  describe(getDomainAccessForUser.name, () => {
+    const baseDomain: Domain = {
+      id: 'id',
+      name: 'test',
+      status: 'DOMAIN_STATUS_REGISTERED',
+      description: '',
+      ownerEmail: '',
+      data: {},
+      workflowExecutionRetentionPeriod: null,
+      badBinaries: null,
+      historyArchivalStatus: 'ARCHIVAL_STATUS_DISABLED',
+      historyArchivalUri: '',
+      visibilityArchivalStatus: 'ARCHIVAL_STATUS_DISABLED',
+      visibilityArchivalUri: '',
+      activeClusterName: '',
+      clusters: [],
+      failoverVersion: '0',
+      isGlobalDomain: false,
+      failoverInfo: null,
+      isolationGroups: null,
+      asyncWorkflowConfig: null,
+      activeClusters: null,
+    };
+
+    it('denies open domains when user is not admin', () => {
+      const access = getDomainAccessForUser(baseDomain, {
+        rbacEnabled: true,
+        isAdmin: false,
+        groups: [],
+        token: 'abc',
+      });
+
+      expect(access).toEqual({ canRead: false, canWrite: false });
+    });
+
+    it('allows admin users', () => {
+      const access = getDomainAccessForUser(
+        { ...baseDomain, data: { READ_GROUPS: '["worker"]' } },
+        {
+          rbacEnabled: true,
+          isAdmin: true,
+          groups: [],
+        }
+      );
+
+      expect(access).toEqual({ canRead: true, canWrite: true });
+    });
+
+    it('respects read/write groups', () => {
+      const access = getDomainAccessForUser(
+        {
+          ...baseDomain,
+          data: {
+            READ_GROUPS: '["reader"]',
+            WRITE_GROUPS: '["writer"]',
+          },
+        },
+        {
+          rbacEnabled: true,
+          isAdmin: false,
+          groups: ['reader'],
+        }
+      );
+
+      expect(access).toEqual({ canRead: true, canWrite: false });
+    });
+
+    it('requires group membership for restricted domains even when RBAC is disabled', () => {
+      const access = getDomainAccessForUser(
+        {
+          ...baseDomain,
+          data: {
+            READ_GROUPS: '["reader"]',
+            WRITE_GROUPS: '["writer"]',
+          },
+        },
+        {
+          rbacEnabled: false,
+          isAdmin: false,
+          groups: [],
+          token: 'abc',
+        }
+      );
+
+      expect(access).toEqual({ canRead: false, canWrite: false });
+    });
+
+    it('grants write access when write group matches', () => {
+      const access = getDomainAccessForUser(
+        {
+          ...baseDomain,
+          data: {
+            READ_GROUPS: '["reader"]',
+            WRITE_GROUPS: '["writer"]',
+          },
+        },
+        {
+          rbacEnabled: true,
+          isAdmin: false,
+          groups: ['writer'],
+          token: 'abc',
+        }
+      );
+
+      expect(access).toEqual({ canRead: true, canWrite: true });
+    });
+
+    it('requires write group when only WRITE_GROUPS are defined', () => {
+      const access = getDomainAccessForUser(
+        {
+          ...baseDomain,
+          data: {
+            WRITE_GROUPS: '["writer"]',
+          },
+        },
+        {
+          rbacEnabled: true,
+          isAdmin: false,
+          groups: [],
+          token: 'abc',
+        }
+      );
+
+      expect(access).toEqual({ canRead: false, canWrite: false });
+    });
+
+    it('allows write group to read/write when only WRITE_GROUPS are defined', () => {
+      const access = getDomainAccessForUser(
+        {
+          ...baseDomain,
+          data: {
+            WRITE_GROUPS: '["writer"]',
+          },
+        },
+        {
+          rbacEnabled: true,
+          isAdmin: false,
+          groups: ['writer'],
+          token: 'abc',
+        }
+      );
+
+      expect(access).toEqual({ canRead: true, canWrite: true });
+    });
+
+    it('treats read-only groups as viewers when no write groups are set', () => {
+      const access = getDomainAccessForUser(
+        {
+          ...baseDomain,
+          data: {
+            READ_GROUPS: '["viewer"]',
+          },
+        },
+        {
+          rbacEnabled: true,
+          isAdmin: false,
+          groups: ['viewer'],
+          token: 'abc',
+        }
+      );
+
+      expect(access).toEqual({ canRead: true, canWrite: false });
+    });
+
+    it('denies unauthenticated users even for open domains', () => {
+      const access = getDomainAccessForUser(baseDomain, {
+        rbacEnabled: true,
+        isAdmin: false,
+        groups: [],
+        token: undefined,
+      });
+
+      expect(access).toEqual({ canRead: false, canWrite: false });
+    });
+  });
+
+  describe(getPublicAuthContext.name, () => {
+    it('omits the token but preserves flags', () => {
+      const authContext = {
+        rbacEnabled: true,
+        token: 'secret',
+        tokenSource: 'cookie' as const,
+        claims: { Admin: true },
+        groups: ['worker'],
+        isAdmin: true,
+        userName: 'worker',
+        id: 'worker',
+      };
+
+      expect(getPublicAuthContext(authContext)).toEqual({
+        rbacEnabled: true,
+        tokenSource: 'cookie',
+        claims: { Admin: true },
+        groups: ['worker'],
+        isAdmin: true,
+        userName: 'worker',
+        id: 'worker',
+        isAuthenticated: true,
+      });
+    });
+  });
+
+  describe(getGrpcMetadataFromAuth.name, () => {
+    it('returns metadata when token is present', () => {
+      expect(
+        getGrpcMetadataFromAuth({
+          token: 'abc',
+          groups: [],
+          isAdmin: false,
+          rbacEnabled: true,
+        })
+      ).toEqual({ 'cadence-authorization': 'abc' });
+    });
+
+    it('returns undefined when token is missing', () => {
+      expect(
+        getGrpcMetadataFromAuth({
+          rbacEnabled: true,
+          groups: [],
+          isAdmin: false,
+        })
+      ).toBeUndefined();
+    });
+  });
+});
diff --git a/src/utils/auth/auth-context.ts b/src/utils/auth/auth-context.ts
new file mode 100644
index 000000000..27102da49
--- /dev/null
+++ b/src/utils/auth/auth-context.ts
@@ -0,0 +1,134 @@
+import 'server-only';
+
+import { cookies as getRequestCookies } from 'next/headers';
+
+import { type GRPCMetadata } from '@/utils/grpc/grpc-service';
+
+import getConfigValue from '../config/get-config-value';
+
+import {
+  type AuthTokenSource,
+  type CadenceJwtClaims,
+  type PublicAuthContext,
+  type UserAuthContext,
+} from './auth-shared';
+
+export const CADENCE_AUTH_COOKIE_NAME = 'cadence-authorization';
+
+type CookieReader = {
+  get: (name: string) => { value: string } | undefined;
+};
+
+const parseBooleanFlag = (value: string) =>
+  value?.toLowerCase() === 'true' || value === '1';
+
+export function decodeCadenceJwtClaims(
+  token: string
+): CadenceJwtClaims | undefined {
+  const [, payload] = token.split('.');
+  if (!payload) {
+    return undefined;
+  }
+
+  try {
+    const normalizedPayload = payload.replace(/-/g, '+').replace(/_/g, '/');
+    const paddedPayload =
+      normalizedPayload + '='.repeat((4 - (normalizedPayload.length % 4)) % 4);
+    const decodedPayload = Buffer.from(paddedPayload, 'base64').toString(
+      'utf8'
+    );
+
+    return JSON.parse(decodedPayload) as CadenceJwtClaims;
+  } catch {
+    return undefined;
+  }
+}
+
+export async function resolveAuthContext(
+  cookieStore?: CookieReader
+): Promise<UserAuthContext> {
+  const rbacEnabled = parseBooleanFlag(
+    (await getConfigValue('CADENCE_WEB_RBAC_ENABLED')) ?? 'false'
+  );
+
+  const cookies = cookieStore ?? getRequestCookies();
+  const tokenFromCookie = cookies.get(CADENCE_AUTH_COOKIE_NAME)?.value?.trim();
+  const envToken = (await getConfigValue('CADENCE_WEB_JWT_TOKEN'))?.trim();
+
+  const token = tokenFromCookie || envToken || undefined;
+  const tokenSource: AuthTokenSource | undefined = tokenFromCookie
+    ? 'cookie'
+    : envToken
+      ? 'env'
+      : undefined;
+
+  const claims = token ? decodeCadenceJwtClaims(token) : undefined;
+  const normalizeGroups = (): string[] => {
+    const raw =
+      (claims as Record<string, unknown> | undefined)?.groups ??
+      (claims as Record<string, unknown> | undefined)?.Groups;
+    if (!raw) return [];
+    if (Array.isArray(raw)) {
+      return raw
+        .map((g) => (typeof g === 'string' ? g.trim() : `${g}`.trim()))
+        .filter(Boolean);
+    }
+    if (typeof raw === 'string') {
+      return raw
+        .split(',')
+        .map((g) => g.trim())
+        .filter(Boolean);
+    }
+    return [];
+  };
+  const groups = normalizeGroups();
+  const userName =
+    (claims?.name && typeof claims.name === 'string' && claims.name) ||
+    (claims?.sub && typeof claims.sub === 'string' && claims.sub) ||
+    undefined;
+  const isAdmin = claims?.Admin === true;
+
+  return {
+    rbacEnabled,
+    token,
+    tokenSource,
+    claims,
+    groups,
+    isAdmin,
+    userName,
+    id: userName,
+  };
+}
+
+export function getGrpcMetadataFromAuth(
+  authContext: UserAuthContext | null | undefined
+): GRPCMetadata | undefined {
+  if (!authContext?.token) {
+    return undefined;
+  }
+
+  return {
+    'cadence-authorization': authContext.token,
+  };
+}
+
+export const getPublicAuthContext = (
+  authContext: UserAuthContext
+): PublicAuthContext => ({
+  rbacEnabled: authContext.rbacEnabled,
+  tokenSource: authContext.tokenSource,
+  claims: authContext.claims,
+  groups: authContext.groups,
+  isAdmin: authContext.isAdmin,
+  userName: authContext.userName,
+  id: authContext.id,
+  isAuthenticated: Boolean(authContext.token),
+});
+
+export { getDomainAccessForUser } from './auth-shared';
+export type {
+  AuthTokenSource,
+  CadenceJwtClaims,
+  PublicAuthContext,
+  UserAuthContext,
+} from './auth-shared';
diff --git a/src/utils/auth/auth-shared.ts b/src/utils/auth/auth-shared.ts
new file mode 100644
index 000000000..703d796d2
--- /dev/null
+++ b/src/utils/auth/auth-shared.ts
@@ -0,0 +1,107 @@
+import { type Domain } from '@/__generated__/proto-ts/uber/cadence/api/v1/Domain';
+
+export type AuthTokenSource = 'cookie' | 'env';
+
+export type CadenceJwtClaims = {
+  Admin?: boolean;
+  groups?: unknown;
+  name?: string;
+  sub?: string;
+  [key: string]: unknown;
+};
+
+type BaseAuthContext = {
+  rbacEnabled: boolean;
+  tokenSource?: AuthTokenSource;
+  claims?: CadenceJwtClaims;
+  groups: string[];
+  isAdmin: boolean;
+  userName?: string;
+  id?: string;
+};
+
+export type PublicAuthContext = BaseAuthContext & {
+  isAuthenticated: boolean;
+};
+
+export type UserAuthContext = BaseAuthContext & {
+  token?: string;
+};
+
+const parseGroups = (rawValue?: string) => {
+  if (!rawValue) return [] as string[];
+  try {
+    const parsed = JSON.parse(rawValue);
+    if (Array.isArray(parsed)) {
+      return parsed
+        .map((item) => `${item}`.trim())
+        .filter((item) => item.length > 0);
+    }
+  } catch {
+    // fall through to comma split
+  }
+  return rawValue
+    .split(',')
+    .map((g) => g.trim())
+    .filter((g) => g.length > 0);
+};
+
+export const getDomainAccessForUser = (
+  domain: Domain,
+  authContext: UserAuthContext | PublicAuthContext | null | undefined
+) => {
+  const isAuthenticated = Boolean(
+    (authContext as UserAuthContext | undefined)?.token
+  );
+
+  if (authContext?.isAdmin) {
+    return {
+      canRead: true,
+      canWrite: true,
+    };
+  }
+
+  if (!isAuthenticated) {
+    return {
+      canRead: false,
+      canWrite: false,
+    };
+  }
+
+  const readGroups = parseGroups(
+    domain.data?.READ_GROUPS ||
+      (domain.data as any)?.read_groups ||
+      (domain.data as any)?.readGroups
+  );
+  const writeGroups = parseGroups(
+    domain.data?.WRITE_GROUPS ||
+      (domain.data as any)?.write_groups ||
+      (domain.data as any)?.writeGroups
+  );
+
+  const userGroups = authContext?.groups ?? [];
+  const effectiveReadGroups =
+    readGroups.length > 0
+      ? readGroups
+      : writeGroups.length > 0
+        ? writeGroups
+        : [];
+
+  const hasReadGroup = effectiveReadGroups.some((g) => userGroups.includes(g));
+  const hasWriteGroup = writeGroups.some((g) => userGroups.includes(g));
+
+  const readRestricted = effectiveReadGroups.length > 0;
+  const writeRestricted = writeGroups.length > 0;
+
+  const canRead = readRestricted ? hasReadGroup || hasWriteGroup : false;
+  const canWrite = writeRestricted
+    ? hasWriteGroup
+    : readRestricted
+      ? false
+      : false;
+
+  return {
+    canRead,
+    canWrite,
+  };
+};
diff --git a/src/utils/config/__fixtures__/resolved-config-values.ts b/src/utils/config/__fixtures__/resolved-config-values.ts
index f002ad4b0..24c357ab3 100644
--- a/src/utils/config/__fixtures__/resolved-config-values.ts
+++ b/src/utils/config/__fixtures__/resolved-config-values.ts
@@ -3,6 +3,8 @@ import { type LoadedConfigResolvedValues } from '../config.types';
 const mockResolvedConfigValues: LoadedConfigResolvedValues = {
   ADMIN_SECURITY_TOKEN: 'mock-secret',
   CADENCE_WEB_PORT: '3000',
+  CADENCE_WEB_RBAC_ENABLED: 'false',
+  CADENCE_WEB_JWT_TOKEN: 'mock-rbac-token',
   CLUSTERS: [
     {
       clusterName: 'mock-cluster1',
diff --git a/src/utils/route-handlers-middleware/config/route-handlers-default-middlewares.config.ts b/src/utils/route-handlers-middleware/config/route-handlers-default-middlewares.config.ts
index d022b55a6..1ca530ddc 100644
--- a/src/utils/route-handlers-middleware/config/route-handlers-default-middlewares.config.ts
+++ b/src/utils/route-handlers-middleware/config/route-handlers-default-middlewares.config.ts
@@ -6,8 +6,8 @@ import { type UserInfoMiddlewareContext } from '../middlewares/user-info.types';
 import { type MiddlewareFunction } from '../route-handlers-middleware.types';
 
 const routeHandlersDefaultMiddlewares: [
-  MiddlewareFunction<['grpcClusterMethods', GRPCClusterMethods]>,
   MiddlewareFunction<['userInfo', UserInfoMiddlewareContext]>,
-] = [grpcClusterMethodsMiddleware, userInfoMiddleware];
+  MiddlewareFunction<['grpcClusterMethods', GRPCClusterMethods]>,
+] = [userInfoMiddleware, grpcClusterMethodsMiddleware];
 
 export default routeHandlersDefaultMiddlewares;
diff --git a/src/utils/route-handlers-middleware/middlewares/__tests__/user-info.test.ts b/src/utils/route-handlers-middleware/middlewares/__tests__/user-info.test.ts
new file mode 100644
index 000000000..c16624b44
--- /dev/null
+++ b/src/utils/route-handlers-middleware/middlewares/__tests__/user-info.test.ts
@@ -0,0 +1,94 @@
+import {
+  getGrpcMetadataFromAuth,
+  resolveAuthContext,
+} from '@/utils/auth/auth-context';
+
+import userInfoMiddleware from '../user-info';
+
+jest.mock('@/utils/auth/auth-context', () => ({
+  resolveAuthContext: jest.fn(),
+  getGrpcMetadataFromAuth: jest.fn(),
+}));
+
+const mockRequest = {
+  cookies: {
+    get: jest.fn(),
+  },
+} as any;
+
+describe('user-info middleware', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('returns auth context and sets grpc metadata when available', async () => {
+    const mockAuthContext = {
+      rbacEnabled: true,
+      token: 'abc',
+      isAdmin: false,
+      groups: [],
+    };
+    (resolveAuthContext as jest.Mock).mockResolvedValue(mockAuthContext);
+    (getGrpcMetadataFromAuth as jest.Mock).mockReturnValue({
+      'cadence-authorization': 'abc',
+    });
+
+    const ctx: Record<string, unknown> = {};
+    const result = await userInfoMiddleware(
+      mockRequest,
+      { params: {} } as any,
+      ctx
+    );
+
+    expect(result).toEqual(['userInfo', mockAuthContext]);
+    expect(ctx.grpcMetadata).toEqual({
+      'cadence-authorization': 'abc',
+    });
+  });
+
+  it('merges existing grpc metadata', async () => {
+    (resolveAuthContext as jest.Mock).mockResolvedValue({
+      rbacEnabled: true,
+      token: 'xyz',
+      isAdmin: false,
+      groups: [],
+    });
+    (getGrpcMetadataFromAuth as jest.Mock).mockReturnValue({
+      'cadence-authorization': 'xyz',
+    });
+
+    const ctx: Record<string, unknown> = { grpcMetadata: { existing: 'true' } };
+    await userInfoMiddleware(mockRequest, { params: {} } as any, ctx);
+
+    expect(ctx.grpcMetadata).toEqual({
+      existing: 'true',
+      'cadence-authorization': 'xyz',
+    });
+  });
+
+  it('skips grpc metadata when not provided', async () => {
+    (resolveAuthContext as jest.Mock).mockResolvedValue({
+      rbacEnabled: false,
+      isAdmin: false,
+      groups: [],
+    });
+    (getGrpcMetadataFromAuth as jest.Mock).mockReturnValue(undefined);
+
+    const ctx: Record<string, unknown> = {};
+    const result = await userInfoMiddleware(
+      mockRequest,
+      { params: {} } as any,
+      ctx
+    );
+
+    expect(result).toEqual([
+      'userInfo',
+      {
+        rbacEnabled: false,
+        isAdmin: false,
+        groups: [],
+      },
+    ]);
+    expect(ctx.grpcMetadata).toBeUndefined();
+  });
+});
diff --git a/src/utils/route-handlers-middleware/middlewares/user-info.ts b/src/utils/route-handlers-middleware/middlewares/user-info.ts
index 2fb3fe2b4..574582ae9 100644
--- a/src/utils/route-handlers-middleware/middlewares/user-info.ts
+++ b/src/utils/route-handlers-middleware/middlewares/user-info.ts
@@ -1,12 +1,30 @@
+import {
+  getGrpcMetadataFromAuth,
+  resolveAuthContext,
+} from '@/utils/auth/auth-context';
+
+import isObjectOfStringKeyValue from '../helpers/is-object-of-string-key-value';
 import { type MiddlewareFunction } from '../route-handlers-middleware.types';
 
 import { type UserInfoMiddlewareContext } from './user-info.types';
 
 const userInfo: MiddlewareFunction<
   ['userInfo', UserInfoMiddlewareContext]
-> = async () => {
-  // Placeholder for user info middleware, to be implemented after integrating auth
-  return ['userInfo', null];
+> = async (request, _options, ctx) => {
+  const authContext = await resolveAuthContext(request.cookies);
+
+  const authMetadata = getGrpcMetadataFromAuth(authContext);
+  if (authMetadata) {
+    const existingMetadata = isObjectOfStringKeyValue(ctx.grpcMetadata)
+      ? ctx.grpcMetadata
+      : {};
+    ctx.grpcMetadata = {
+      ...existingMetadata,
+      ...authMetadata,
+    };
+  }
+
+  return ['userInfo', authContext];
 };
 
 export default userInfo;
diff --git a/src/utils/route-handlers-middleware/middlewares/user-info.types.ts b/src/utils/route-handlers-middleware/middlewares/user-info.types.ts
index 97d2eac05..b698c31e0 100644
--- a/src/utils/route-handlers-middleware/middlewares/user-info.types.ts
+++ b/src/utils/route-handlers-middleware/middlewares/user-info.types.ts
@@ -1,3 +1,3 @@
-export type UserInfoMiddlewareContext = {
-  id: string;
-} | null;
+import { type UserAuthContext } from '@/utils/auth/auth-context';
+
+export type UserInfoMiddlewareContext = UserAuthContext;
diff --git a/src/views/domain-page/domain-page-start-workflow-button/__tests__/domain-page-start-workflow-button.test.tsx b/src/views/domain-page/domain-page-start-workflow-button/__tests__/domain-page-start-workflow-button.test.tsx
index 4228f9741..3f77b2eb2 100644
--- a/src/views/domain-page/domain-page-start-workflow-button/__tests__/domain-page-start-workflow-button.test.tsx
+++ b/src/views/domain-page/domain-page-start-workflow-button/__tests__/domain-page-start-workflow-button.test.tsx
@@ -200,6 +200,20 @@ function setup(
 
   const renderResult = render(<DomainPageStartWorkflowButton {...props} />, {
     endpointsMocks: [
+      {
+        path: '/api/auth/me',
+        httpMethod: 'GET',
+        httpResolver: async () =>
+          HttpResponse.json(
+            {
+              rbacEnabled: false,
+              isAuthenticated: false,
+              isAdmin: false,
+              groups: [],
+            },
+            { status: 200 }
+          ),
+      },
       {
         path: '/api/config',
         httpMethod: 'GET',
diff --git a/src/views/domain-page/domain-page-start-workflow-button/domain-page-start-workflow-button.tsx b/src/views/domain-page/domain-page-start-workflow-button/domain-page-start-workflow-button.tsx
index 0680dcae1..9673496ee 100644
--- a/src/views/domain-page/domain-page-start-workflow-button/domain-page-start-workflow-button.tsx
+++ b/src/views/domain-page/domain-page-start-workflow-button/domain-page-start-workflow-button.tsx
@@ -5,6 +5,7 @@ import { StatefulTooltip } from 'baseui/tooltip';
 
 import Button from '@/components/button/button';
 import useConfigValue from '@/hooks/use-config-value/use-config-value';
+import useDomainAccess from '@/hooks/use-domain-access/use-domain-access';
 import { startWorkflowActionConfig } from '@/views/workflow-actions/config/workflow-actions.config';
 import getActionDisabledReason from '@/views/workflow-actions/workflow-actions-menu/helpers/get-action-disabled-reason';
 import WorkflowActionsModal from '@/views/workflow-actions/workflow-actions-modal/workflow-actions-modal';
@@ -26,9 +27,16 @@ export default function DomainPageStartWorkflowButton({
     domain,
     cluster,
   });
+  const { access, isLoading: isAccessLoading } = useDomainAccess({
+    domain,
+    cluster,
+  });
 
   const disabledReason = getActionDisabledReason({
-    actionEnabledConfig: actionsEnabledConfig?.start,
+    actionEnabledConfig:
+      access?.canWrite === false
+        ? 'DISABLED_UNAUTHORIZED'
+        : actionsEnabledConfig?.start,
     actionRunnableStatus: 'RUNNABLE',
   });
 
@@ -48,7 +56,11 @@ export default function DomainPageStartWorkflowButton({
             size="compact"
             kind="secondary"
             loadingIndicatorType="skeleton"
-            isLoading={isActionsEnabledLoading || isActionsEnabledError}
+            isLoading={
+              isActionsEnabledLoading ||
+              isActionsEnabledError ||
+              isAccessLoading
+            }
             disabled={Boolean(disabledReason)}
             startEnhancer={<startWorkflowActionConfig.icon size={16} />}
             aria-label={disabledReason ?? undefined}
diff --git a/src/views/domain-workflows/__tests__/domain-workflows.test.tsx b/src/views/domain-workflows/__tests__/domain-workflows.test.tsx
index 55b21476a..fb826a439 100644
--- a/src/views/domain-workflows/__tests__/domain-workflows.test.tsx
+++ b/src/views/domain-workflows/__tests__/domain-workflows.test.tsx
@@ -30,28 +30,42 @@ describe('DomainWorkflows', () => {
     expect(await screen.findByText('Advanced Workflows')).toBeInTheDocument();
   });
 
-  it('should throw on error', async () => {
-    let renderErrorMessage;
-    try {
-      await act(async () => {
-        await setup({ error: true });
+  it('should fall back to basic workflows when cluster info fails', async () => {
+    await act(async () => {
+      await setup({ error: true });
+    });
+
+    expect(await screen.findByText('Basic Workflows')).toBeInTheDocument();
+  });
+
+  it('skips cluster fetch for non-admin token when RBAC is disabled', async () => {
+    await act(async () => {
+      await setup({
+        rbacEnabled: false,
+        isAuthenticated: true,
+        claims: { Admin: false },
+        skipClusterRequest: true,
       });
-    } catch (error) {
-      if (error instanceof Error) {
-        renderErrorMessage = error.message;
-      }
-    }
+    });
 
-    expect(renderErrorMessage).toEqual('Failed to fetch cluster info');
+    expect(await screen.findByText('Basic Workflows')).toBeInTheDocument();
   });
 });
 
 async function setup({
   isAdvancedVisibility = false,
   error,
+  rbacEnabled = false,
+  isAuthenticated = false,
+  claims,
+  skipClusterRequest = false,
 }: {
   error?: boolean;
   isAdvancedVisibility?: boolean;
+  rbacEnabled?: boolean;
+  isAuthenticated?: boolean;
+  claims?: Record<string, unknown>;
+  skipClusterRequest?: boolean;
 }) {
   const props: DomainPageTabContentProps = {
     domain: 'test-domain',
@@ -65,6 +79,18 @@ async function setup({
     {
       endpointsMocks: [
         {
+          path: '/api/auth/me',
+          httpMethod: 'GET',
+          mockOnce: false,
+          jsonResponse: {
+            rbacEnabled,
+            isAuthenticated,
+            isAdmin: Boolean(claims?.Admin),
+            claims,
+            groups: [],
+          },
+        },
+        !skipClusterRequest && {
           path: '/api/clusters/test-cluster',
           httpMethod: 'GET',
           mockOnce: false,
@@ -95,7 +121,7 @@ async function setup({
                 } satisfies DescribeClusterResponse,
               }),
         },
-      ],
+      ].filter(Boolean) as any,
     }
   );
 }
diff --git a/src/views/domain-workflows/domain-workflows.tsx b/src/views/domain-workflows/domain-workflows.tsx
index 06b4ee95d..7966f6060 100644
--- a/src/views/domain-workflows/domain-workflows.tsx
+++ b/src/views/domain-workflows/domain-workflows.tsx
@@ -1,8 +1,10 @@
+'use client';
 import React, { useMemo } from 'react';
 
-import { useSuspenseQuery } from '@tanstack/react-query';
+import { useQuery } from '@tanstack/react-query';
 import dynamic from 'next/dynamic';
 
+import useUserInfo from '@/hooks/use-user-info/use-user-info';
 import { type DescribeClusterResponse } from '@/route-handlers/describe-cluster/describe-cluster.types';
 import request from '@/utils/request';
 import { type DomainPageTabContentProps } from '@/views/domain-page/domain-page-content/domain-page-content.types';
@@ -18,15 +20,25 @@ const DomainWorkflowsAdvanced = dynamic(
 );
 
 export default function DomainWorkflows(props: DomainPageTabContentProps) {
-  const { data } = useSuspenseQuery<DescribeClusterResponse>({
+  const { data: authInfo } = useUserInfo();
+
+  const shouldFetchClusterInfo =
+    Boolean(authInfo) &&
+    (authInfo?.isAdmin ||
+      (!authInfo?.rbacEnabled && authInfo?.isAuthenticated !== true));
+
+  const { data: clusterInfo } = useQuery<DescribeClusterResponse>({
     queryKey: ['describeCluster', props],
     queryFn: () =>
       request(`/api/clusters/${props.cluster}`).then((res) => res.json()),
+    enabled: shouldFetchClusterInfo,
+    retry: false,
   });
 
   const isAdvancedVisibilityEnabled = useMemo(() => {
-    return isClusterAdvancedVisibilityEnabled(data);
-  }, [data]);
+    if (!clusterInfo) return false;
+    return isClusterAdvancedVisibilityEnabled(clusterInfo);
+  }, [clusterInfo]);
 
   const DomainWorkflowsComponent = isAdvancedVisibilityEnabled
     ? DomainWorkflowsAdvanced
diff --git a/src/views/domain-workflows/helpers/is-cluster-advanced-visibility-enabled.ts b/src/views/domain-workflows/helpers/is-cluster-advanced-visibility-enabled.ts
index 6f6b0d588..1e04ffaf4 100644
--- a/src/views/domain-workflows/helpers/is-cluster-advanced-visibility-enabled.ts
+++ b/src/views/domain-workflows/helpers/is-cluster-advanced-visibility-enabled.ts
@@ -1,8 +1,9 @@
 import type { DescribeClusterResponse } from '@/route-handlers/describe-cluster/describe-cluster.types';
 
 export default function isClusterAdvancedVisibilityEnabled(
-  cluster: DescribeClusterResponse
+  cluster?: DescribeClusterResponse
 ) {
+  if (!cluster) return false;
   const clusterVisibilityFeatures =
     cluster.persistenceInfo?.visibilityStore?.features || [];
 
diff --git a/src/views/domains-page/domains-page.tsx b/src/views/domains-page/domains-page.tsx
index 17f596624..73e8c4969 100644
--- a/src/views/domains-page/domains-page.tsx
+++ b/src/views/domains-page/domains-page.tsx
@@ -2,6 +2,7 @@ import React, { Suspense } from 'react';
 
 import AsyncPropsLoader from '@/components/async-props-loader/async-props-loader';
 import SectionLoadingIndicator from '@/components/section-loading-indicator/section-loading-indicator';
+import { resolveAuthContext } from '@/utils/auth/auth-context';
 
 import DomainsPageContextProvider from './domains-page-context-provider/domains-page-context-provider';
 import DomainsPageErrorBanner from './domains-page-error-banner/domains-page-error-banner';
@@ -12,6 +13,9 @@ import DomainsTable from './domains-table/domains-table';
 import { getCachedAllDomains } from './helpers/get-all-domains';
 
 export default async function DomainsPage() {
+  const authContext = await resolveAuthContext();
+  const loadDomains = () => getCachedAllDomains(authContext);
+
   return (
     <DomainsPageContextProvider>
       <DomainsPageTitle
@@ -20,7 +24,7 @@ export default async function DomainsPage() {
             <AsyncPropsLoader
               component={DomainsPageTitleBadge}
               getAsyncProps={async () => {
-                const res = await getCachedAllDomains();
+                const res = await loadDomains();
                 return { content: res.domains.length };
               }}
             />
@@ -32,7 +36,7 @@ export default async function DomainsPage() {
         <AsyncPropsLoader
           component={DomainsPageErrorBanner}
           getAsyncProps={async () => {
-            const res = await getCachedAllDomains();
+            const res = await loadDomains();
             return { failedClusters: res.failedClusters };
           }}
         />
@@ -41,7 +45,7 @@ export default async function DomainsPage() {
         <AsyncPropsLoader
           component={DomainsTable}
           getAsyncProps={async () => {
-            const res = await getCachedAllDomains();
+            const res = await loadDomains();
             return { domains: res.domains };
           }}
         />
diff --git a/src/views/domains-page/helpers/get-all-domains.ts b/src/views/domains-page/helpers/get-all-domains.ts
index ac8fd5a95..9f1c17812 100644
--- a/src/views/domains-page/helpers/get-all-domains.ts
+++ b/src/views/domains-page/helpers/get-all-domains.ts
@@ -4,6 +4,11 @@ import 'server-only';
 // eslint-disable-next-line import/named
 import { cache } from 'react';
 
+import {
+  getDomainAccessForUser,
+  getGrpcMetadataFromAuth,
+  type UserAuthContext,
+} from '@/utils/auth/auth-context';
 import getConfigValue from '@/utils/config/get-config-value';
 import * as grpcClient from '@/utils/grpc/grpc-client';
 import { GRPCError } from '@/utils/grpc/grpc-error';
@@ -14,11 +19,14 @@ import getUniqueDomains from './get-unique-domains';
 
 const MAX_DOMAINS_TO_FETCH = 2000;
 
-export const getAllDomains = async () => {
+export const getAllDomains = async (authContext: UserAuthContext) => {
   const CLUSTERS_CONFIGS = await getConfigValue('CLUSTERS');
   const results = await Promise.allSettled(
     CLUSTERS_CONFIGS.map(async ({ clusterName }) => {
-      const clusterMethods = await grpcClient.getClusterMethods(clusterName);
+      const clusterMethods = await grpcClient.getClusterMethods(
+        clusterName,
+        getGrpcMetadataFromAuth(authContext)
+      );
 
       return clusterMethods
         .listDomains({ pageSize: MAX_DOMAINS_TO_FETCH })
@@ -46,9 +54,14 @@ export const getAllDomains = async () => {
         );
     })
   );
+
+  const uniqueDomains = getUniqueDomains(
+    results.flatMap((res) => (res.status === 'fulfilled' ? res.value : []))
+  );
+
   return {
-    domains: getUniqueDomains(
-      results.flatMap((res) => (res.status === 'fulfilled' ? res.value : []))
+    domains: uniqueDomains.filter(
+      (domain) => getDomainAccessForUser(domain, authContext).canRead
     ),
     failedClusters: CLUSTERS_CONFIGS.map((config) => ({
       clusterName: config.clusterName,
diff --git a/src/views/redirect-domain/__tests__/redirect-domain.node.ts b/src/views/redirect-domain/__tests__/redirect-domain.node.ts
index 71768edb1..dd4a92c16 100644
--- a/src/views/redirect-domain/__tests__/redirect-domain.node.ts
+++ b/src/views/redirect-domain/__tests__/redirect-domain.node.ts
@@ -50,15 +50,20 @@ jest.mock('next/navigation', () => ({
   },
 }));
 
-jest.mock(
-  '@/views/domains-page/helpers/get-all-domains',
-  jest.fn(() => ({
-    getCachedAllDomains: jest.fn(() => ({
-      domains: MOCK_ALL_DOMAINS,
-      failedClusters: [],
-    })),
-  }))
-);
+jest.mock('@/utils/auth/auth-context', () => ({
+  resolveAuthContext: jest.fn(async () => ({
+    rbacEnabled: false,
+    isAdmin: false,
+    groups: [],
+  })),
+}));
+
+jest.mock('@/views/domains-page/helpers/get-all-domains', () => ({
+  getCachedAllDomains: jest.fn(async () => ({
+    domains: MOCK_ALL_DOMAINS,
+    failedClusters: [],
+  })),
+}));
 
 describe(RedirectDomain.name, () => {
   const tests: Array<{
diff --git a/src/views/redirect-domain/redirect-domain.tsx b/src/views/redirect-domain/redirect-domain.tsx
index 90601572b..c4d5344f1 100644
--- a/src/views/redirect-domain/redirect-domain.tsx
+++ b/src/views/redirect-domain/redirect-domain.tsx
@@ -1,6 +1,8 @@
 import { notFound, redirect } from 'next/navigation';
 import queryString from 'query-string';
 
+import { resolveAuthContext } from '@/utils/auth/auth-context';
+
 import { getCachedAllDomains } from '../domains-page/helpers/get-all-domains';
 
 import { type Props } from './redirect-domain.types';
@@ -13,7 +15,8 @@ export default async function RedirectDomain(props: Props) {
 
   const domain = decodeURIComponent(encodedDomain);
 
-  const { domains } = await getCachedAllDomains();
+  const authContext = await resolveAuthContext();
+  const { domains } = await getCachedAllDomains(authContext);
 
   const [domainDetails, ...restDomains] = domains.filter(
     (d) => d.name === domain
diff --git a/src/views/shared/hooks/use-domain-description/use-domain-description.ts b/src/views/shared/hooks/use-domain-description/use-domain-description.ts
new file mode 100644
index 000000000..3fca33c74
--- /dev/null
+++ b/src/views/shared/hooks/use-domain-description/use-domain-description.ts
@@ -0,0 +1,11 @@
+'use client';
+import { useQuery } from '@tanstack/react-query';
+
+import getDomainDescriptionQueryOptions from './get-domain-description-query-options';
+import { type UseDomainDescriptionParams } from './use-domain-description.types';
+
+export default function useDomainDescription(
+  params: UseDomainDescriptionParams
+) {
+  return useQuery(getDomainDescriptionQueryOptions(params));
+}
diff --git a/src/views/workflow-actions/__tests__/workflow-actions.test.tsx b/src/views/workflow-actions/__tests__/workflow-actions.test.tsx
index 165dbfc58..6788fa2e0 100644
--- a/src/views/workflow-actions/__tests__/workflow-actions.test.tsx
+++ b/src/views/workflow-actions/__tests__/workflow-actions.test.tsx
@@ -4,6 +4,7 @@ import { HttpResponse } from 'msw';
 
 import { render, screen, userEvent, waitFor } from '@/test-utils/rtl';
 
+import { mockDomainDescription } from '@/views/domain-page/__fixtures__/domain-description';
 import { mockDescribeWorkflowResponse } from '@/views/workflow-page/__fixtures__/describe-workflow-response';
 
 import { mockWorkflowDetailsParams } from '../../workflow-page/__fixtures__/workflow-details-params';
@@ -132,6 +133,26 @@ function setup({
           }
         },
       },
+      {
+        path: '/api/domains/:domain/:cluster',
+        httpMethod: 'GET',
+        httpResolver: () =>
+          HttpResponse.json(mockDomainDescription, { status: 200 }),
+      },
+      {
+        path: '/api/auth/me',
+        httpMethod: 'GET',
+        httpResolver: () =>
+          HttpResponse.json(
+            {
+              rbacEnabled: false,
+              isAuthenticated: false,
+              isAdmin: false,
+              groups: [],
+            },
+            { status: 200 }
+          ),
+      },
       {
         path: '/api/config',
         httpMethod: 'GET',
diff --git a/src/views/workflow-actions/workflow-actions-menu/__tests__/workflow-actions-menu.test.tsx b/src/views/workflow-actions/workflow-actions-menu/__tests__/workflow-actions-menu.test.tsx
index e9b6f52cb..f61335da0 100644
--- a/src/views/workflow-actions/workflow-actions-menu/__tests__/workflow-actions-menu.test.tsx
+++ b/src/views/workflow-actions/workflow-actions-menu/__tests__/workflow-actions-menu.test.tsx
@@ -129,12 +129,25 @@ describe(WorkflowActionsMenu.name, () => {
       expect.objectContaining({ id: 'cancel' })
     );
   });
+
+  it('disables actions when write access is blocked', () => {
+    setup({
+      actionsEnabledConfig: mockResolvedConfigValues.WORKFLOW_ACTIONS_ENABLED,
+      isWriteAuthorized: false,
+    });
+
+    const menuButtons = screen.getAllByRole('button');
+    expect(menuButtons[0]).toBeDisabled();
+    expect(menuButtons[1]).toBeDisabled();
+  });
 });
 
 function setup({
   actionsEnabledConfig,
+  isWriteAuthorized = true,
 }: {
   actionsEnabledConfig?: WorkflowActionsEnabledConfig;
+  isWriteAuthorized?: boolean;
 }) {
   const user = userEvent.setup();
   const mockOnActionSelect = jest.fn();
@@ -143,6 +156,7 @@ function setup({
     <WorkflowActionsMenu
       workflow={mockDescribeWorkflowResponse}
       {...(actionsEnabledConfig && { actionsEnabledConfig })}
+      isWriteAuthorized={isWriteAuthorized}
       onActionSelect={mockOnActionSelect}
     />
   );
diff --git a/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.tsx b/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.tsx
index 1d964e845..15850cf74 100644
--- a/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.tsx
+++ b/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.tsx
@@ -10,13 +10,16 @@ import { type Props } from './workflow-actions-menu.types';
 export default function WorkflowActionsMenu({
   workflow,
   actionsEnabledConfig,
+  isWriteAuthorized = true,
   onActionSelect,
 }: Props) {
   return (
     <styled.MenuItemsContainer>
       {workflowActionsConfig.map((action) => {
         const actionDisabledReason = getActionDisabledReason({
-          actionEnabledConfig: actionsEnabledConfig?.[action.id],
+          actionEnabledConfig: isWriteAuthorized
+            ? actionsEnabledConfig?.[action.id]
+            : 'DISABLED_UNAUTHORIZED',
           actionRunnableStatus: workflow
             ? action.getRunnableStatus(workflow)
             : undefined,
diff --git a/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.types.ts b/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.types.ts
index bebdaa33b..4dc8f41c7 100644
--- a/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.types.ts
+++ b/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.types.ts
@@ -6,5 +6,6 @@ import { type WorkflowAction } from '../workflow-actions.types';
 export type Props = {
   workflow?: DescribeWorkflowResponse;
   actionsEnabledConfig?: WorkflowActionsEnabledConfig;
+  isWriteAuthorized?: boolean;
   onActionSelect: (action: WorkflowAction<any, any, any>) => void;
 };
diff --git a/src/views/workflow-actions/workflow-actions.tsx b/src/views/workflow-actions/workflow-actions.tsx
index c1b596075..774e31a52 100644
--- a/src/views/workflow-actions/workflow-actions.tsx
+++ b/src/views/workflow-actions/workflow-actions.tsx
@@ -11,6 +11,7 @@ import { MdArrowDropDown } from 'react-icons/md';
 
 import Button from '@/components/button/button';
 import useConfigValue from '@/hooks/use-config-value/use-config-value';
+import useDomainAccess from '@/hooks/use-domain-access/use-domain-access';
 import { useDescribeWorkflow } from '@/views/workflow-page/hooks/use-describe-workflow';
 import { type WorkflowPageParams } from '@/views/workflow-page/workflow-page.types';
 
@@ -42,6 +43,10 @@ export default function WorkflowActions() {
       domain: params.domain,
       cluster: params.cluster,
     });
+  const { access, isLoading: isAccessLoading } = useDomainAccess({
+    domain: params.domain,
+    cluster: params.cluster,
+  });
 
   const [selectedAction, setSelectedAction] = useState<
     WorkflowAction<any, any, any> | undefined
@@ -60,6 +65,7 @@ export default function WorkflowActions() {
           <WorkflowActionsMenu
             workflow={workflow}
             actionsEnabledConfig={actionsEnabledConfig}
+            isWriteAuthorized={access?.canWrite !== false}
             onActionSelect={(action) => {
               setSelectedAction(action);
               close();
@@ -74,7 +80,9 @@ export default function WorkflowActions() {
           kind="secondary"
           endEnhancer={<MdArrowDropDown size={20} />}
           loadingIndicatorType="skeleton"
-          isLoading={isWorkflowLoading || isActionsEnabledLoading}
+          isLoading={
+            isWorkflowLoading || isActionsEnabledLoading || isAccessLoading
+          }
         >
           Workflow Actions
         </Button>