***

title: Role-based access control
subtitle: Control who can view your documentation
description: >-
Learn how to restrict access to your documentation using role-based access
control (RBAC)
--------------

<Warning title="Pro and Enterprise feature">
  This feature is available only for the [Pro and Enterprise plans](https://buildwithfern.com/pricing). To get started, reach out to [support@buildwithfern.com](mailto:support@buildwithfern.com).
</Warning>

RBAC is a feature of [JWT](/learn/docs/authentication/setup/jwt) and [OAuth](/learn/docs/authentication/setup/oauth) authentication. Once a user logs in through either method, Fern checks the [`fern_token`](/learn/docs/authentication/overview#how-authentication-works) cookie to determine their roles and controls access to pages, sections, and other navigation items accordingly.

RBAC is useful for partner docs, beta features, tiered access, and internal content. You can combine it with [API key injection](/learn/docs/authentication/features/api-key-injection) in a single token. When RBAC is configured, [Ask Fern](/learn/docs/ai-features/ask-fern/overview) automatically respects these permissions.

<Note>
  If you'd like restricted pages to be visible but locked to unauthenticated users (rather than completely hidden), let Fern know during setup.
</Note>

## Setup

To enable RBAC, follow the [JWT](/learn/docs/authentication/setup/jwt) or [OAuth](/learn/docs/authentication/setup/oauth) setup guide, then define your roles in `docs.yml`:

```yml docs.yml
roles:
 - everyone # every user is given this role
 - partners
 - beta-users
 - admins
```

Every user automatically has the `everyone` role, including unauthenticated visitors. If a user lacks the required role or isn't authenticated, Fern redirects them to your login page.

## Restricting content

Once RBAC is configured, use `viewers` in your navigation and the `<If />` component in your pages to control what each role can see.

### In navigation

You can assign `viewers` to the following navigation items: `products`, `versions`, `tabs`, `sections`, `pages`, `api references`, and `changelogs`.

If you don't specify viewers, the content will be visible to any *authenticated* user. To make content publicly accessible, explicitly set viewers to `everyone`.

```yml docs.yml {6-7, 13-15}
navigation:
  - tab: Home
    layout:
      - page: Welcome # this page is public
        path: pages/welcome.mdx
        viewers:
          - everyone
  - tab: Documentation
    layout:
      - page: Overview # this page is visible to all logged-in users
        path: pages/overview.mdx
      - section: Beta Release # this section is visible to beta-users and admins
        viewers:
          - beta-users
          - admins
        contents:
          ...
```

Viewership is inherited. For example, if a section can only be viewed by `admins`, then all its pages and nested sections can also only be viewed by admins.

### In MDX pages

Use the `<If />` component to conditionally render content based on user roles:

```mdx
<If roles={["beta-users"]}>
  <Callout>
    This callout is only visible to beta users.
  </Callout>
</If>
```

You can specify multiple roles. Content will be visible to users who have **any** of the specified roles:

```mdx
<If roles={["partners", "admins"]}>
  <Callout>
    This content is visible to both partners and admins.
  </Callout>
</If>
```

<Note>
  The `<If>` component respects the same role inheritance rules as navigation items. If a user has access to a page, they can see all content on that page that matches their roles.
</Note>