Enterprise Features

Relevant source files

• apps/docs/content/docs/en/enterprise/index.mdx
• apps/sim/app/api/billing/route.ts
• apps/sim/app/api/billing/switch-plan/route.ts
• apps/sim/app/api/folders/[id]/duplicate/route.ts
• apps/sim/app/api/folders/route.test.ts
• apps/sim/app/api/folders/route.ts
• apps/sim/app/api/organizations/[id]/route.ts
• apps/sim/app/api/organizations/[id]/seats/route.ts
• apps/sim/app/api/tools/supabase/storage-upload/route.ts
• apps/sim/app/api/v1/admin/credits/route.ts
• apps/sim/app/api/workflows/route.test.ts
• apps/sim/app/api/workspaces/[id]/byok-keys/route.ts
• apps/sim/hooks/queries/byok-keys.ts
• apps/sim/hooks/queries/folders.test.ts
• apps/sim/hooks/queries/utils/top-insertion-sort-order.ts
• apps/sim/lib/api-key/byok.ts
• apps/sim/lib/billing/webhooks/invoices.ts
• apps/sim/lib/workflows/persistence/duplicate.test.ts
• apps/sim/tools/supabase/storage_upload.ts

The Enterprise tier of Sim Studio is designed for organizations requiring advanced security, fine-grained access control, and scalable subscription management. These features are typically gated by environment variables or specific plan identifiers within the database.

High-Level Capabilities

The enterprise suite focuses on four primary pillars:

1. Identity & Access: Support for Single Sign-On (SSO) and Role-Based Access Control (RBAC).
2. Resource Governance: Fine-grained permission groups and audit logging for folders and workflows.
3. Scalable Billing: Seat-based management, overage threshold billing, and Stripe-integrated organization plans.
4. Compliance & Customization: Whitelabeling, BYOK (Bring Your Own Key) for AI providers, and audit trails.

Enterprise Logic Flow

The following diagram illustrates how enterprise features are gated and resolved within the system, bridging high-level concepts to specific code entities like isEnterprise and isBillingEnabled.

Enterprise Feature Resolution

Sources: apps/sim/lib/billing/plan-helpers.ts18 apps/sim/app/api/organizations/[id]/seats/route.ts:7-16, apps/sim/app/api/workspaces/[id]/byok-keys/route.ts:1-12, apps/sim/app/api/billing/switch-plan/route.ts73-78

---

Single Sign-On (SSO) {#15.1}

Sim Studio supports enterprise identity providers via OIDC and SAML. This allows organizations to manage user lifecycle through external directories like Okta or Microsoft Azure AD.

• Provider Management: Scripts and UI components exist for registering and deregistering SSO providers.
• Authentication Flow: Enterprise users are redirected to their organization-specific login portal based on domain or slug.
• Feature Gating: SSO capabilities are checked via isSsoEnabled within the subscription core.

For implementation details, see Single Sign-On (SSO).

---

Access Control & Permission Groups {#15.2}

Beyond basic roles (Owner, Admin, Member), enterprise users can utilize Permission Groups to manage access at a granular level.

• Gating: This feature is enabled via the NEXT_PUBLIC_ACCESS_CONTROL_ENABLED flag and verified via getUserEntityPermissions apps/sim/app/api/folders/route.ts38-46
• Entities: The system uses member, organization, and workspace tables to map users to specific capabilities.
• Audit Logging: Critical actions like folder duplication or organization updates are recorded via recordAudit for compliance tracking apps/sim/app/api/folders/[id]/duplicate/route.ts:148-163, apps/sim/app/api/organizations/[id]/route.ts:196-208.

For details on the RBAC implementation, see Access Control & Permission Groups.

---

Billing & Subscription Management {#15.3}

Enterprise billing is managed through a combination of Stripe integration and internal organization management.

Organization & Seat Management

Organizations support complex seat-based structures for teams.

• Seat-Based Billing: Admins can update seat counts via PUT /api/organizations/[id]/seats, which triggers a stripe.subscriptions.update call with proration_behavior: 'always_invoice' apps/sim/app/api/organizations/[id]/seats/route.ts:169-180.
• Seat Validation: The system prevents reducing seats below the current member count apps/sim/app/api/organizations/[id]/seats/route.ts:113-121.
• Usage Limits: Organizations have an orgUsageLimit that is updated when seat counts change apps/sim/app/api/organizations/[id]/seats/route.ts:191-213.

Webhook & Credit Pipeline

The StripeInvoiceWebhooks handler manages the lifecycle of enterprise accounts:

• Invoicing: Processes overage_billing and overage_threshold_billing for large-scale users apps/sim/lib/billing/webhooks/invoices.ts27-31
• Admin Credits: Admins can manually issue credits to organizations via addCredits, which updates the creditBalance in the organization table apps/sim/app/api/v1/admin/credits/route.ts157-166
• Failure Handling: Automatically notifies organization owners and admins if a subscription payment fails apps/sim/lib/billing/webhooks/invoices.ts159-181

Billing Entity Relationship This diagram maps the logical billing flow to the underlying database schema and Stripe integration points.

Sources: apps/sim/lib/billing/webhooks/invoices.ts2-9 apps/sim/app/api/organizations/[id]/seats/route.ts:184-190, apps/sim/app/api/v1/admin/credits/route.ts26-38

For technical integration details, see Billing & Subscription Management.

---

Bring Your Own Key (BYOK)

Enterprise workspaces can provide their own API keys for AI providers (OpenAI, Anthropic, Google, etc.) to bypass platform-level billing and usage limits.

• Storage: Keys are encrypted via encryptSecret and stored in the workspaceBYOKKeys table apps/sim/app/api/workspaces/[id]/byok-keys/route.ts:149-160.
• Resolution: The getApiKeyWithBYOK utility checks if a workspace has a valid key before falling back to system keys apps/sim/lib/api-key/byok.ts57-105
• Management: Admins can manage these keys through the workspace settings UI, which uses the useUpsertBYOKKey and useDeleteBYOKKey hooks apps/sim/hooks/queries/byok-keys.ts53-110

Sources: apps/sim/app/api/workspaces/[id]/byok-keys/route.ts:1-12, apps/sim/lib/api-key/byok.ts20-55 apps/sim/hooks/queries/byok-keys.ts21-45