Auth on the Frontend (Part 2): Authorization — RBAC, Permissions, and Safe Patterns

Authorization answers: "Is this user allowed to do this?" On the frontend, you use it to show or hide UI, enable or disable actions, and route users. The server must always enforce the same rules—the client only improves UX. This post covers RBAC (role-based access control), permission checks, and patterns that stay type-safe and aligned with your API.

Frontend vs backend: who decides?

Rule: The backend is the source of truth. Every mutation or sensitive read must be authorized on the server. The frontend only uses roles and permissions to: