diff --git a/README.md b/README.md
index 970716ff2..d97413b11 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,7 @@ Set these environment variables if you need to change their defaults
 | CADENCE_WEB_PORT             | HTTP port to serve on                                                         | 8088             |
 | CADENCE_WEB_HOSTNAME         | Host name to serve on                                                         | 0.0.0.0          |
 | CADENCE_ADMIN_SECURITY_TOKEN | Admin token for accessing admin methods                                       | ''               |
+| CADENCE_WEB_RBAC_ENABLED     | Enables RBAC-aware UI (login/logout).                                         | false            |
 | CADENCE_GRPC_TLS_CA_FILE     | Path to root CA certificate file for enabling one-way TLS on gRPC connections | ''               |
 | CADENCE_WEB_SERVICE_NAME     | Name of the web service used as GRPC caller and OTEL resource name            | cadence-web      |
 
@@ -34,6 +35,20 @@ CADENCE_GRPC_SERVICES_NAMES=cadence-frontend-cluster0,cadence-frontend-cluster1
 CADENCE_CLUSTERS_NAMES=cluster0,cluster1
 ```
 
+#### RBAC Authentication (JWT cookie)
+
+When `CADENCE_WEB_RBAC_ENABLED=true`, cadence-web authenticates using a cookie:
+
+- Cookie name: `cadence-authorization`
+- Cookie value: raw JWT string
+
+To integrate an upstream proxy / IdP, set the cookie for the cadence-web origin:
+
+```
+Set-Cookie: cadence-authorization=<JWT>; Path=/; HttpOnly; SameSite=Lax; Secure
+```
+You can also set/clear the cookie via `POST /api/auth/token` and `DELETE /api/auth/token`; or use `Login with JWT` button in the UI.
+
 #### Feature flags
 
 Feature flags control various UI features and functionality in `cadence-web`. These can be configured using environment variables.
diff --git a/src/app/api/auth/me/route.ts b/src/app/api/auth/me/route.ts
new file mode 100644
index 000000000..168ed03b8
--- /dev/null
+++ b/src/app/api/auth/me/route.ts
@@ -0,0 +1,13 @@
+import { NextResponse, type NextRequest } from 'next/server';
+
+import {
+  getPublicAuthContext,
+  resolveAuthContext,
+} from '@/utils/auth/auth-context';
+
+export async function GET(request: NextRequest) {
+  const authContext = await resolveAuthContext(request.cookies);
+  return NextResponse.json(getPublicAuthContext(authContext), {
+    headers: { 'Cache-Control': 'no-store' },
+  });
+}
diff --git a/src/app/api/auth/token/route.ts b/src/app/api/auth/token/route.ts
new file mode 100644
index 000000000..dafc36b16
--- /dev/null
+++ b/src/app/api/auth/token/route.ts
@@ -0,0 +1,61 @@
+import { NextResponse, type NextRequest } from 'next/server';
+
+import { CADENCE_AUTH_COOKIE_NAME } from '@/utils/auth/auth-context';
+
+const COOKIE_OPTIONS = {
+  httpOnly: true,
+  sameSite: 'lax' as const,
+  path: '/',
+};
+
+function getCookieSecureAttribute(request: NextRequest) {
+  const xfProto = request.headers.get('x-forwarded-proto');
+  const proto = xfProto?.split(',')[0]?.trim().toLowerCase();
+  if (proto) return proto === 'https';
+  return request.nextUrl.protocol === 'https:';
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    const body = await request.json();
+    if (!body?.token || typeof body.token !== 'string') {
+      return NextResponse.json(
+        { message: 'A valid token is required' },
+        { status: 400, headers: { 'Cache-Control': 'no-store' } }
+      );
+    }
+
+    const normalizedToken = body.token.trim().replace(/^bearer\s+/i, '');
+    if (!normalizedToken) {
+      return NextResponse.json(
+        { message: 'A valid token is required' },
+        { status: 400, headers: { 'Cache-Control': 'no-store' } }
+      );
+    }
+
+    const response = NextResponse.json({ ok: true });
+    response.headers.set('Cache-Control', 'no-store');
+    response.cookies.set(CADENCE_AUTH_COOKIE_NAME, normalizedToken, {
+      ...COOKIE_OPTIONS,
+      secure: getCookieSecureAttribute(request),
+    });
+    return response;
+  } catch {
+    return NextResponse.json(
+      { message: 'Invalid request body' },
+      { status: 400, headers: { 'Cache-Control': 'no-store' } }
+    );
+  }
+}
+
+export async function DELETE(request: NextRequest) {
+  const response = NextResponse.json({ ok: true });
+  response.headers.set('Cache-Control', 'no-store');
+  response.cookies.set(CADENCE_AUTH_COOKIE_NAME, '', {
+    ...COOKIE_OPTIONS,
+    secure: getCookieSecureAttribute(request),
+    expires: new Date(0),
+    maxAge: 0,
+  });
+  return response;
+}
diff --git a/src/components/app-nav-bar/app-nav-bar.tsx b/src/components/app-nav-bar/app-nav-bar.tsx
index c30c221e3..db36bc344 100644
--- a/src/components/app-nav-bar/app-nav-bar.tsx
+++ b/src/components/app-nav-bar/app-nav-bar.tsx
@@ -1,29 +1,202 @@
 'use client';
+import React, {
+  useCallback,
+  useEffect,
+  useMemo,
+  useRef,
+  useState,
+} from 'react';
+
 import { AppNavBar as BaseAppNavBar } from 'baseui/app-nav-bar';
+import { useSnackbar } from 'baseui/snackbar';
 import NextLink from 'next/link';
+import { usePathname, useRouter } from 'next/navigation';
 
 import useStyletronClasses from '@/hooks/use-styletron-classes';
+import useUserInfo from '@/hooks/use-user-info/use-user-info';
+import request from '@/utils/request';
+
+import AuthTokenModal from '../auth-token-modal/auth-token-modal';
 
 import { cssStyles } from './app-nav-bar.styles';
 
+const LOGIN_ITEM = 'login';
+const LOGOUT_ITEM = 'logout';
+
 export default function AppNavBar() {
   const { cls } = useStyletronClasses(cssStyles);
-  return (
-    <BaseAppNavBar
-      title={
-        <NextLink href="/">
-          <svg
-            className={cls.titleIcon}
-            viewBox="0 0 92 24"
-            xmlns="http://www.w3.org/2000/svg"
-          >
-            <path
-              d="m0.66 12.278c0-0.44 0.029333-0.8653 0.088-1.276 0.073333-0.4253 0.176-0.836 0.308-1.232s0.29333-0.7773 0.484-1.144 0.40333-0.71133 0.638-1.034c0.24933-0.33733 0.51333-0.65267 0.792-0.946 0.29333-0.29333 0.60867-0.55733 0.946-0.792 0.33733-0.24933 0.69667-0.46934 1.078-0.66001 0.38133-0.19066 0.77733-0.35199 1.188-0.48399 0.42533-0.132 0.858-0.22733 1.298-0.286 0.45467-0.07333 0.91667-0.11 1.386-0.11 1.3787 0 2.64 0.308 3.784 0.924s2.09 1.4153 2.838 2.398l-2.31 1.694c-0.4987-0.704-1.1293-1.2613-1.892-1.672-0.7627-0.42533-1.5547-0.638-2.376-0.638-0.36667 0-0.726 0.03667-1.078 0.11-0.33733 0.05867-0.66733 0.154-0.99 0.286-0.308 0.11733-0.60133 0.264-0.88 0.44s-0.53533 0.3813-0.77 0.616-0.44733 0.49129-0.638 0.76999-0.352 0.57931-0.484 0.90201-0.23467 0.66-0.308 1.012c-0.05867 0.352-0.088 0.726-0.088 1.122s0.03667 0.7773 0.11 1.144c0.07333 0.352 0.176 0.6893 0.308 1.012s0.29333 0.6233 0.484 0.902 0.40333 0.5353 0.638 0.77 0.49133 0.44 0.77 0.616 0.572 0.33 0.88 0.462c0.32267 0.1173 0.65267 0.2127 0.99 0.286 0.33733 0.0587 0.68933 0.088 1.056 0.088 0.88 0 1.7013-0.198 2.464-0.594 0.7773-0.4107 1.4007-0.9753 1.87-1.694l2.31 1.694c-0.7187 0.9827-1.65 1.782-2.794 2.398s-2.42 0.924-3.828 0.924c-0.484 0-0.95333-0.0367-1.408-0.11-0.45467-0.0587-0.89467-0.154-1.32-0.286-0.41067-0.132-0.80667-0.2933-1.188-0.484s-0.748-0.4033-1.1-0.638c-0.33733-0.2347-0.65267-0.4987-0.946-0.792-0.27867-0.2933-0.54267-0.6013-0.792-0.924-0.24933-0.3373-0.46933-0.6893-0.66-1.056-0.176-0.3667-0.33-0.748-0.462-1.144-0.132-0.4107-0.23467-0.8287-0.308-1.254-0.058667-0.4253-0.088-0.8653-0.088-1.32zm15.83 4.532c0-1.012 0.33-1.804 0.99-2.376 0.6746-0.5867 1.6133-0.924 2.816-1.012l3.344-0.242v-0.44c0-0.5573-0.1834-0.9973-0.55-1.32-0.352-0.3227-0.8654-0.484-1.54-0.484-0.5134 0-1.0194 0.088-1.518 0.264-0.4987 0.1613-0.9974 0.4107-1.496 0.748l-1.21-2.046c0.66-0.484 1.3713-0.85801 2.134-1.122 0.7626-0.264 1.5766-0.39599 2.442-0.39599 1.364 0 2.4566 0.3667 3.278 1.1 0.836 0.7333 1.254 1.7013 1.254 2.904v4.466c0 0.2053 0.0513 0.3667 0.154 0.484 0.1173 0.1173 0.2786 0.176 0.484 0.176h0.594v2.486h-1.342c-0.5427 0-1.0194-0.1173-1.43-0.352-0.4107-0.2493-0.7114-0.5793-0.902-0.99-0.396 0.4987-0.902 0.8947-1.518 1.188s-1.298 0.44-2.046 0.44c-1.1294 0-2.068-0.33-2.816-0.99s-1.122-1.4887-1.122-2.486zm2.75-0.022c0 0.396 0.1686 0.7113 0.506 0.946 0.3373 0.2347 0.7773 0.352 1.32 0.352 0.7186 0 1.3273-0.198 1.826-0.594 0.4986-0.4107 0.748-0.902 0.748-1.474v-0.726l-2.948 0.264c-0.484 0.044-0.8507 0.1687-1.1 0.374-0.2347 0.2053-0.352 0.4913-0.352 0.858zm21.739 3.212h-2.86v-1.056c-0.4987 0.4253-1.0633 0.7627-1.694 1.012-0.6307 0.2347-1.2907 0.352-1.98 0.352-0.3813 0-0.748-0.0367-1.1-0.11-0.352-0.0587-0.6967-0.1467-1.034-0.264s-0.6527-0.264-0.946-0.44-0.572-0.374-0.836-0.594-0.5133-0.462-0.748-0.726c-0.22-0.264-0.418-0.5427-0.594-0.836s-0.3227-0.6013-0.44-0.924c-0.1173-0.3373-0.2127-0.6747-0.286-1.012-0.0587-0.352-0.088-0.7113-0.088-1.078s0.0293-0.726 0.088-1.078c0.0733-0.352 0.1687-0.6893 0.286-1.012s0.264-0.6307 0.44-0.924 0.374-0.572 0.594-0.836c0.2347-0.264 0.484-0.506 0.748-0.726s0.5427-0.418 0.836-0.594 0.6087-0.32271 0.946-0.44001 0.682-0.20529 1.034-0.26399c0.352-0.0733 0.7187-0.11 1.1-0.11 0.6893 0 1.342 0.12469 1.958 0.37399 0.6307 0.2347 1.1953 0.55731 1.694 0.96801v-5.082h2.882v15.4zm-2.838-5.676c0-0.968-0.3373-1.782-1.012-2.442-0.6747-0.6747-1.4887-1.012-2.442-1.012-0.9387 0-1.7527 0.3373-2.442 1.012-0.6747 0.66-1.012 1.474-1.012 2.442 0 0.9533 0.3373 1.7747 1.012 2.464 0.6893 0.6747 1.5033 1.012 2.442 1.012 0.9533 0 1.7673-0.3373 2.442-1.012 0.6747-0.6893 1.012-1.5107 1.012-2.464zm4.4117-0.022c0-0.352 0.0293-0.6967 0.088-1.034s0.1467-0.6673 0.264-0.99 0.2567-0.6307 0.418-0.924c0.176-0.2933 0.3667-0.572 0.572-0.836 0.22-0.264 0.4547-0.506 0.704-0.726 0.264-0.22 0.5353-0.418 0.814-0.594 0.2933-0.176 0.6013-0.3227 0.924-0.44 0.3373-0.132 0.682-0.2273 1.034-0.286 0.352-0.0733 0.7113-0.11 1.078-0.11 0.4253 0 0.836 0.0367 1.232 0.11s0.77 0.1833 1.122 0.33 0.682 0.33 0.99 0.55c0.308 0.2053 0.5867 0.4473 0.836 0.726 0.264 0.264 0.4987 0.5573 0.704 0.88s0.374 0.6673 0.506 1.034c0.1467 0.3667 0.2567 0.7553 0.33 1.166s0.11 0.836 0.11 1.276v0.836h-8.778c0.1907 0.7333 0.572 1.342 1.144 1.826s1.254 0.726 2.046 0.726c0.6013 0 1.144-0.11 1.628-0.33 0.4987-0.2347 0.9533-0.6233 1.364-1.166l2.002 1.496c-0.572 0.7773-1.2833 1.386-2.134 1.826-0.836 0.4253-1.782 0.638-2.838 0.638-0.3813 0-0.7553-0.0293-1.122-0.088s-0.7187-0.1467-1.056-0.264-0.66-0.2567-0.968-0.418c-0.308-0.176-0.594-0.3667-0.858-0.572-0.264-0.22-0.5133-0.4547-0.748-0.704-0.22-0.264-0.418-0.5427-0.594-0.836s-0.3227-0.6013-0.44-0.924c-0.1173-0.3373-0.2127-0.6893-0.286-1.056-0.0587-0.3667-0.088-0.7407-0.088-1.122zm5.83-3.476c-0.6747 0-1.2687 0.2053-1.782 0.616-0.5133 0.396-0.8653 0.9387-1.056 1.628h5.83c-0.2053-0.704-0.5867-1.254-1.144-1.65-0.5427-0.396-1.1587-0.594-1.848-0.594zm17.994 1.936v7.238h-2.882v-6.666c0-0.7333-0.22-1.32-0.66-1.76-0.4254-0.4547-0.99-0.682-1.694-0.682-0.6894 0-1.2614 0.22-1.716 0.66-0.44 0.44-0.66 1.034-0.66 1.782v6.666h-2.882v-11.374h2.882v0.968c0.396-0.4107 0.858-0.72601 1.386-0.94601 0.5426-0.22 1.122-0.32999 1.738-0.32999 0.3373 0 0.6526 0.0293 0.946 0.088 0.308 0.0587 0.6013 0.1467 0.88 0.264 0.2786 0.1027 0.5353 0.2347 0.77 0.396 0.2346 0.1613 0.4473 0.3447 0.638 0.55 0.2053 0.1907 0.3813 0.4107 0.528 0.66 0.1613 0.2347 0.2933 0.484 0.396 0.748 0.1026 0.264 0.1833 0.5427 0.242 0.836 0.0586 0.2933 0.088 0.594 0.088 0.902zm4.4524 1.54c0 0.9533 0.33 1.7673 0.99 2.442 0.6747 0.6747 1.474 1.012 2.398 1.012 0.6013 0 1.144-0.132 1.628-0.396 0.4987-0.264 0.9093-0.6233 1.232-1.078l2.046 1.496c-0.572 0.748-1.2613 1.3567-2.068 1.826-0.792 0.4547-1.738 0.682-2.838 0.682-0.396 0-0.7773-0.0367-1.144-0.11-0.3667-0.0587-0.726-0.1467-1.078-0.264-0.3373-0.1173-0.66-0.264-0.968-0.44s-0.6013-0.374-0.88-0.594c-0.264-0.22-0.5133-0.462-0.748-0.726-0.22-0.264-0.418-0.5427-0.594-0.836s-0.33-0.6013-0.462-0.924c-0.1173-0.3227-0.2127-0.66-0.286-1.012-0.0587-0.352-0.088-0.7113-0.088-1.078s0.0293-0.726 0.088-1.078c0.0733-0.352 0.1687-0.6893 0.286-1.012 0.132-0.3227 0.286-0.6307 0.462-0.924s0.374-0.5647 0.594-0.814c0.2347-0.264 0.484-0.506 0.748-0.726 0.2787-0.22 0.572-0.418 0.88-0.594s0.6307-0.32271 0.968-0.44001c0.352-0.1173 0.7113-0.20529 1.078-0.26399 0.3667-0.0733 0.748-0.11 1.144-0.11 1.1 0 2.046 0.23469 2.838 0.70399 0.8067 0.4547 1.496 1.056 2.068 1.804l-2.046 1.496c-0.3227-0.4547-0.7333-0.814-1.232-1.078-0.484-0.264-1.0267-0.396-1.628-0.396-0.924 0-1.7233 0.3373-2.398 1.012-0.66 0.66-0.99 1.4667-0.99 2.42zm8.6556 0c0-0.352 0.0294-0.6967 0.088-1.034 0.0587-0.3373 0.1467-0.6673 0.264-0.99 0.1174-0.3227 0.2567-0.6307 0.418-0.924 0.176-0.2933 0.3667-0.572 0.572-0.836 0.22-0.264 0.4547-0.506 0.704-0.726 0.264-0.22 0.5354-0.418 0.814-0.594 0.2934-0.176 0.6014-0.3227 0.924-0.44 0.3374-0.132 0.682-0.2273 1.034-0.286 0.352-0.0733 0.7114-0.11 1.078-0.11 0.4254 0 0.836 0.0367 1.232 0.11s0.77 0.1833 1.122 0.33 0.682 0.33 0.99 0.55c0.308 0.2053 0.5867 0.4473 0.836 0.726 0.264 0.264 0.4987 0.5573 0.704 0.88 0.2054 0.3227 0.374 0.6673 0.506 1.034 0.1467 0.3667 0.2567 0.7553 0.33 1.166 0.0734 0.4107 0.11 0.836 0.11 1.276v0.836h-8.778c0.1907 0.7333 0.572 1.342 1.144 1.826s1.254 0.726 2.046 0.726c0.6014 0 1.144-0.11 1.628-0.33 0.4987-0.2347 0.9534-0.6233 1.364-1.166l2.002 1.496c-0.572 0.7773-1.2833 1.386-2.134 1.826-0.836 0.4253-1.782 0.638-2.838 0.638-0.3813 0-0.7553-0.0293-1.122-0.088-0.3666-0.0587-0.7186-0.1467-1.056-0.264-0.3373-0.1173-0.66-0.2567-0.968-0.418-0.308-0.176-0.594-0.3667-0.858-0.572-0.264-0.22-0.5133-0.4547-0.748-0.704-0.22-0.264-0.418-0.5427-0.594-0.836s-0.3226-0.6013-0.44-0.924c-0.1173-0.3373-0.2126-0.6893-0.286-1.056-0.0586-0.3667-0.088-0.7407-0.088-1.122zm5.83-3.476c-0.6746 0-1.2686 0.2053-1.782 0.616-0.5133 0.396-0.8653 0.9387-1.056 1.628h5.83c-0.2053-0.704-0.5866-1.254-1.144-1.65-0.5426-0.396-1.1586-0.594-1.848-0.594z"
-              fill="#000"
-            />
-          </svg>
-        </NextLink>
+  const router = useRouter();
+  const pathname = usePathname();
+  const { enqueue } = useSnackbar();
+  const [isModalOpen, setIsModalOpen] = useState(false);
+
+  const { data: authInfo, isLoading: isAuthLoading, refetch } = useUserInfo();
+  const isRbacEnabled = authInfo?.rbacEnabled === true;
+  const isAuthenticated = authInfo?.isAuthenticated === true;
+  const isAdmin = authInfo?.isAdmin === true;
+  const expiresAtMs =
+    typeof authInfo?.expiresAtMs === 'number'
+      ? authInfo.expiresAtMs
+      : undefined;
+  const logoutInFlightRef = useRef(false);
+  const prevIsAuthenticatedRef = useRef<boolean | null>(null);
+  const logoutReasonRef = useRef<'manual' | 'expired' | null>(null);
+
+  const userItems = useMemo(() => {
+    if (!isRbacEnabled) return undefined;
+    if (!isAuthenticated) {
+      return [{ label: 'Login with JWT', info: LOGIN_ITEM }];
+    }
+    return [
+      { label: 'Switch token', info: LOGIN_ITEM },
+      { label: 'Logout', info: LOGOUT_ITEM },
+    ];
+  }, [isAuthenticated, isRbacEnabled]);
+
+  const username = useMemo(() => {
+    if (!isRbacEnabled) {
+      return undefined;
+    }
+    if (isAuthLoading || !authInfo) {
+      return 'Checking access...';
+    }
+    return isAuthenticated
+      ? authInfo.userName || 'Authenticated user (unknown username)'
+      : 'Authenticate';
+  }, [authInfo, isAuthLoading, isAuthenticated, isRbacEnabled]);
+
+  const usernameSubtitle =
+    isRbacEnabled && isAuthenticated
+      ? isAdmin
+        ? 'Admin'
+        : undefined
+      : isRbacEnabled
+        ? 'Provide a Cadence JWT'
+        : undefined;
+
+  const saveToken = async (token: string) => {
+    try {
+      await request('/api/auth/token', {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({ token }),
+      });
+      await refetch();
+      enqueue({ message: 'Token saved' });
+      setIsModalOpen(false);
+      router.refresh();
+    } catch (e) {
+      const message =
+        e instanceof Error ? e.message : 'Failed to save authentication token';
+      enqueue({ message });
+      throw e;
+    }
+  };
+
+  const logout = useCallback(
+    async (reason: 'manual' | 'expired') => {
+      if (logoutInFlightRef.current) return;
+      logoutInFlightRef.current = true;
+      logoutReasonRef.current = reason;
+      try {
+        await request('/api/auth/token', { method: 'DELETE' });
+      } catch (e) {
+        logoutReasonRef.current = null;
+        const message = e instanceof Error ? e.message : 'Failed to sign out';
+        enqueue({ message });
+      } finally {
+        setIsModalOpen(false);
+        await refetch();
+        router.refresh();
+        router.replace('/domains');
+        logoutInFlightRef.current = false;
       }
-    />
+    },
+    [enqueue, refetch, router]
+  );
+
+  useEffect(() => {
+    if (!isRbacEnabled || isAuthLoading || !authInfo) return;
+    const prevIsAuthenticated = prevIsAuthenticatedRef.current;
+    prevIsAuthenticatedRef.current = isAuthenticated;
+
+    if (prevIsAuthenticated === true && !isAuthenticated) {
+      const reason = logoutReasonRef.current;
+      logoutReasonRef.current = null;
+      enqueue({
+        message:
+          reason === 'manual'
+            ? 'Signed out'
+            : 'Session expired. Please sign in again.',
+      });
+      if (pathname === '/domains') {
+        router.refresh();
+      } else {
+        router.replace('/domains');
+      }
+    }
+  }, [
+    authInfo,
+    enqueue,
+    isAuthenticated,
+    isAuthLoading,
+    isRbacEnabled,
+    pathname,
+    router,
+  ]);
+
+  useEffect(() => {
+    if (!isRbacEnabled || !isAuthenticated || expiresAtMs === undefined) return;
+    const timeoutMs = expiresAtMs - Date.now();
+    if (timeoutMs <= 0) {
+      void logout('expired');
+      return;
+    }
+
+    const id = window.setTimeout(() => {
+      void logout('expired');
+    }, timeoutMs);
+
+    return () => {
+      window.clearTimeout(id);
+    };
+  }, [expiresAtMs, isAuthenticated, isRbacEnabled, logout]);
+
+  return (
+    <>
+      <BaseAppNavBar
+        title={
+          <NextLink href="/">
+            <svg
+              className={cls.titleIcon}
+              viewBox="0 0 92 24"
+              xmlns="http://www.w3.org/2000/svg"
+            >
+              <path
+                d="m0.66 12.278c0-0.44 0.029333-0.8653 0.088-1.276 0.073333-0.4253 0.176-0.836 0.308-1.232s0.29333-0.7773 0.484-1.144 0.40333-0.71133 0.638-1.034c0.24933-0.33733 0.51333-0.65267 0.792-0.946 0.29333-0.29333 0.60867-0.55733 0.946-0.792 0.33733-0.24933 0.69667-0.46934 1.078-0.66001 0.38133-0.19066 0.77733-0.35199 1.188-0.48399 0.42533-0.132 0.858-0.22733 1.298-0.286 0.45467-0.07333 0.91667-0.11 1.386-0.11 1.3787 0 2.64 0.308 3.784 0.924s2.09 1.4153 2.838 2.398l-2.31 1.694c-0.4987-0.704-1.1293-1.2613-1.892-1.672-0.7627-0.42533-1.5547-0.638-2.376-0.638-0.36667 0-0.726 0.03667-1.078 0.11-0.33733 0.05867-0.66733 0.154-0.99 0.286-0.308 0.11733-0.60133 0.264-0.88 0.44s-0.53533 0.3813-0.77 0.616-0.44733 0.49129-0.638 0.76999-0.352 0.57931-0.484 0.90201-0.23467 0.66-0.308 1.012c-0.05867 0.352-0.088 0.726-0.088 1.122s0.03667 0.7773 0.11 1.144c0.07333 0.352 0.176 0.6893 0.308 1.012s0.29333 0.6233 0.484 0.902 0.40333 0.5353 0.638 0.77 0.49133 0.44 0.77 0.616 0.572 0.33 0.88 0.462c0.32267 0.1173 0.65267 0.2127 0.99 0.286 0.33733 0.0587 0.68933 0.088 1.056 0.088 0.88 0 1.7013-0.198 2.464-0.594 0.7773-0.4107 1.4007-0.9753 1.87-1.694l2.31 1.694c-0.7187 0.9827-1.65 1.782-2.794 2.398s-2.42 0.924-3.828 0.924c-0.484 0-0.95333-0.0367-1.408-0.11-0.45467-0.0587-0.89467-0.154-1.32-0.286-0.41067-0.132-0.80667-0.2933-1.188-0.484s-0.748-0.4033-1.1-0.638c-0.33733-0.2347-0.65267-0.4987-0.946-0.792-0.27867-0.2933-0.54267-0.6013-0.792-0.924-0.24933-0.3373-0.46933-0.6893-0.66-1.056-0.176-0.3667-0.33-0.748-0.462-1.144-0.132-0.4107-0.23467-0.8287-0.308-1.254-0.058667-0.4253-0.088-0.8653-0.088-1.32zm15.83 4.532c0-1.012 0.33-1.804 0.99-2.376 0.6746-0.5867 1.6133-0.924 2.816-1.012l3.344-0.242v-0.44c0-0.5573-0.1834-0.9973-0.55-1.32-0.352-0.3227-0.8654-0.484-1.54-0.484-0.5134 0-1.0194 0.088-1.518 0.264-0.4987 0.1613-0.9974 0.4107-1.496 0.748l-1.21-2.046c0.66-0.484 1.3713-0.85801 2.134-1.122 0.7626-0.264 1.5766-0.39599 2.442-0.39599 1.364 0 2.4566 0.3667 3.278 1.1 0.836 0.7333 1.254 1.7013 1.254 2.904v4.466c0 0.2053 0.0513 0.3667 0.154 0.484 0.1173 0.1173 0.2786 0.176 0.484 0.176h0.594v2.486h-1.342c-0.5427 0-1.0194-0.1173-1.43-0.352-0.4107-0.2493-0.7114-0.5793-0.902-0.99-0.396 0.4987-0.902 0.8947-1.518 1.188s-1.298 0.44-2.046 0.44c-1.1294 0-2.068-0.33-2.816-0.99s-1.122-1.4887-1.122-2.486zm2.75-0.022c0 0.396 0.1686 0.7113 0.506 0.946 0.3373 0.2347 0.7773 0.352 1.32 0.352 0.7186 0 1.3273-0.198 1.826-0.594 0.4986-0.4107 0.748-0.902 0.748-1.474v-0.726l-2.948 0.264c-0.484 0.044-0.8507 0.1687-1.1 0.374-0.2347 0.2053-0.352 0.4913-0.352 0.858zm21.739 3.212h-2.86v-1.056c-0.4987 0.4253-1.0633 0.7627-1.694 1.012-0.6307 0.2347-1.2907 0.352-1.98 0.352-0.3813 0-0.748-0.0367-1.1-0.11-0.352-0.0587-0.6967-0.1467-1.034-0.264s-0.6527-0.264-0.946-0.44-0.572-0.374-0.836-0.594-0.5133-0.462-0.748-0.726c-0.22-0.264-0.418-0.5427-0.594-0.836s-0.3227-0.6013-0.44-0.924c-0.1173-0.3373-0.2127-0.6747-0.286-1.012-0.0587-0.352-0.088-0.7113-0.088-1.078s0.0293-0.726 0.088-1.078c0.0733-0.352 0.1687-0.6893 0.286-1.012s0.264-0.6307 0.44-0.924 0.374-0.572 0.594-0.836c0.2347-0.264 0.484-0.506 0.748-0.726s0.5427-0.418 0.836-0.594 0.6087-0.32271 0.946-0.44001 0.682-0.20529 1.034-0.26399c0.352-0.0733 0.7187-0.11 1.1-0.11 0.6893 0 1.342 0.12469 1.958 0.37399 0.6307 0.2347 1.1953 0.55731 1.694 0.96801v-5.082h2.882v15.4zm-2.838-5.676c0-0.968-0.3373-1.782-1.012-2.442-0.6747-0.6747-1.4887-1.012-2.442-1.012-0.9387 0-1.7527 0.3373-2.442 1.012-0.6747 0.66-1.012 1.474-1.012 2.442 0 0.9533 0.3373 1.7747 1.012 2.464 0.6893 0.6747 1.5033 1.012 2.442 1.012 0.9533 0 1.7673-0.3373 2.442-1.012 0.6747-0.6893 1.012-1.5107 1.012-2.464zm4.4117-0.022c0-0.352 0.0293-0.6967 0.088-1.034s0.1467-0.6673 0.264-0.99 0.2567-0.6307 0.418-0.924c0.176-0.2933 0.3667-0.572 0.572-0.836 0.22-0.264 0.4547-0.506 0.704-0.726 0.264-0.22 0.5353-0.418 0.814-0.594 0.2933-0.176 0.6013-0.3227 0.924-0.44 0.3373-0.132 0.682-0.2273 1.034-0.286 0.352-0.0733 0.7113-0.11 1.078-0.11 0.4253 0 0.836 0.0367 1.232 0.11s0.77 0.1833 1.122 0.33 0.682 0.33 0.99 0.55c0.308 0.2053 0.5867 0.4473 0.836 0.726 0.264 0.264 0.4987 0.5573 0.704 0.88s0.374 0.6673 0.506 1.034c0.1467 0.3667 0.2567 0.7553 0.33 1.166s0.11 0.836 0.11 1.276v0.836h-8.778c0.1907 0.7333 0.572 1.342 1.144 1.826s1.254 0.726 2.046 0.726c0.6013 0 1.144-0.11 1.628-0.33 0.4987-0.2347 0.9533-0.6233 1.364-1.166l2.002 1.496c-0.572 0.7773-1.2833 1.386-2.134 1.826-0.836 0.4253-1.782 0.638-2.838 0.638-0.3813 0-0.7553-0.0293-1.122-0.088s-0.7187-0.1467-1.056-0.264-0.66-0.2567-0.968-0.418c-0.308-0.176-0.594-0.3667-0.858-0.572-0.264-0.22-0.5133-0.4547-0.748-0.704-0.22-0.264-0.418-0.5427-0.594-0.836s-0.3227-0.6013-0.44-0.924c-0.1173-0.3373-0.2127-0.6893-0.286-1.056-0.0587-0.3667-0.088-0.7407-0.088-1.122zm5.83-3.476c-0.6747 0-1.2687 0.2053-1.782 0.616-0.5133 0.396-0.8653 0.9387-1.056 1.628h5.83c-0.2053-0.704-0.5867-1.254-1.144-1.65-0.5427-0.396-1.1587-0.594-1.848-0.594zm17.994 1.936v7.238h-2.882v-6.666c0-0.7333-0.22-1.32-0.66-1.76-0.4254-0.4547-0.99-0.682-1.694-0.682-0.6894 0-1.2614 0.22-1.716 0.66-0.44 0.44-0.66 1.034-0.66 1.782v6.666h-2.882v-11.374h2.882v0.968c0.396-0.4107 0.858-0.72601 1.386-0.94601 0.5426-0.22 1.122-0.32999 1.738-0.32999 0.3373 0 0.6526 0.0293 0.946 0.088 0.308 0.0587 0.6013 0.1467 0.88 0.264 0.2786 0.1027 0.5353 0.2347 0.77 0.396 0.2346 0.1613 0.4473 0.3447 0.638 0.55 0.2053 0.1907 0.3813 0.4107 0.528 0.66 0.1613 0.2347 0.2933 0.484 0.396 0.748 0.1026 0.264 0.1833 0.5427 0.242 0.836 0.0586 0.2933 0.088 0.594 0.088 0.902zm4.4524 1.54c0 0.9533 0.33 1.7673 0.99 2.442 0.6747 0.6747 1.474 1.012 2.398 1.012 0.6013 0 1.144-0.132 1.628-0.396 0.4987-0.264 0.9093-0.6233 1.232-1.078l2.046 1.496c-0.572 0.748-1.2613 1.3567-2.068 1.826-0.792 0.4547-1.738 0.682-2.838 0.682-0.396 0-0.7773-0.0367-1.144-0.11-0.3667-0.0587-0.726-0.1467-1.078-0.264-0.3373-0.1173-0.66-0.264-0.968-0.44s-0.6013-0.374-0.88-0.594c-0.264-0.22-0.5133-0.462-0.748-0.726-0.22-0.264-0.418-0.5427-0.594-0.836s-0.33-0.6013-0.462-0.924c-0.1173-0.3227-0.2127-0.66-0.286-1.012-0.0587-0.352-0.088-0.7113-0.088-1.078s0.0293-0.726 0.088-1.078c0.0733-0.352 0.1687-0.6893 0.286-1.012 0.132-0.3227 0.286-0.6307 0.462-0.924s0.374-0.5647 0.594-0.814c0.2347-0.264 0.484-0.506 0.748-0.726 0.2787-0.22 0.572-0.418 0.88-0.594s0.6307-0.32271 0.968-0.44001c0.352-0.1173 0.7113-0.20529 1.078-0.26399 0.3667-0.0733 0.748-0.11 1.144-0.11 1.1 0 2.046 0.23469 2.838 0.70399 0.8067 0.4547 1.496 1.056 2.068 1.804l-2.046 1.496c-0.3227-0.4547-0.7333-0.814-1.232-1.078-0.484-0.264-1.0267-0.396-1.628-0.396-0.924 0-1.7233 0.3373-2.398 1.012-0.66 0.66-0.99 1.4667-0.99 2.42zm8.6556 0c0-0.352 0.0294-0.6967 0.088-1.034 0.0587-0.3373 0.1467-0.6673 0.264-0.99 0.1174-0.3227 0.2567-0.6307 0.418-0.924 0.176-0.2933 0.3667-0.572 0.572-0.836 0.22-0.264 0.4547-0.506 0.704-0.726 0.264-0.22 0.5354-0.418 0.814-0.594 0.2934-0.176 0.6014-0.3227 0.924-0.44 0.3374-0.132 0.682-0.2273 1.034-0.286 0.352-0.0733 0.7114-0.11 1.078-0.11 0.4254 0 0.836 0.0367 1.232 0.11s0.77 0.1833 1.122 0.33 0.682 0.33 0.99 0.55c0.308 0.2053 0.5867 0.4473 0.836 0.726 0.264 0.264 0.4987 0.5573 0.704 0.88 0.2054 0.3227 0.374 0.6673 0.506 1.034 0.1467 0.3667 0.2567 0.7553 0.33 1.166 0.0734 0.4107 0.11 0.836 0.11 1.276v0.836h-8.778c0.1907 0.7333 0.572 1.342 1.144 1.826s1.254 0.726 2.046 0.726c0.6014 0 1.144-0.11 1.628-0.33 0.4987-0.2347 0.9534-0.6233 1.364-1.166l2.002 1.496c-0.572 0.7773-1.2833 1.386-2.134 1.826-0.836 0.4253-1.782 0.638-2.838 0.638-0.3813 0-0.7553-0.0293-1.122-0.088-0.3666-0.0587-0.7186-0.1467-1.056-0.264-0.3373-0.1173-0.66-0.2567-0.968-0.418-0.308-0.176-0.594-0.3667-0.858-0.572-0.264-0.22-0.5133-0.4547-0.748-0.704-0.22-0.264-0.418-0.5427-0.594-0.836s-0.3226-0.6013-0.44-0.924c-0.1173-0.3373-0.2126-0.6893-0.286-1.056-0.0586-0.3667-0.088-0.7407-0.088-1.122zm5.83-3.476c-0.6746 0-1.2686 0.2053-1.782 0.616-0.5133 0.396-0.8653 0.9387-1.056 1.628h5.83c-0.2053-0.704-0.5866-1.254-1.144-1.65-0.5426-0.396-1.1586-0.594-1.848-0.594z"
+                fill="#000"
+              />
+            </svg>
+          </NextLink>
+        }
+        username={userItems ? username : undefined}
+        usernameSubtitle={userItems ? usernameSubtitle : undefined}
+        userItems={userItems}
+        onUserItemSelect={(item) => {
+          if (item.info === LOGIN_ITEM) {
+            setIsModalOpen(true);
+          } else if (item.info === LOGOUT_ITEM) {
+            void logout('manual');
+          }
+        }}
+      />
+      {isRbacEnabled && (
+        <AuthTokenModal
+          isOpen={isModalOpen}
+          onClose={() => setIsModalOpen(false)}
+          onSubmit={saveToken}
+        />
+      )}
+    </>
   );
 }
diff --git a/src/components/auth-token-modal/auth-token-modal.tsx b/src/components/auth-token-modal/auth-token-modal.tsx
new file mode 100644
index 000000000..de3e65519
--- /dev/null
+++ b/src/components/auth-token-modal/auth-token-modal.tsx
@@ -0,0 +1,85 @@
+'use client';
+import React, { useState } from 'react';
+
+import { FormControl } from 'baseui/form-control';
+import {
+  Modal,
+  ModalBody,
+  ModalButton,
+  ModalFooter,
+  ModalHeader,
+} from 'baseui/modal';
+import { Textarea } from 'baseui/textarea';
+
+type Props = {
+  isOpen: boolean;
+  onClose: () => void;
+  onSubmit: (token: string) => Promise<void> | void;
+};
+
+export default function AuthTokenModal({ isOpen, onClose, onSubmit }: Props) {
+  const [token, setToken] = useState('');
+  const [isSubmitting, setIsSubmitting] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+
+  const handleSubmit = async () => {
+    if (!token.trim()) {
+      setError('Please paste a JWT token first');
+      return;
+    }
+
+    setIsSubmitting(true);
+    setError(null);
+    try {
+      await onSubmit(token.trim());
+      setToken('');
+    } catch (e) {
+      setError(
+        e instanceof Error ? e.message : 'Failed to save authentication token'
+      );
+    } finally {
+      setIsSubmitting(false);
+    }
+  };
+
+  return (
+    <Modal
+      size="default"
+      onClose={onClose}
+      isOpen={isOpen}
+      closeable={!isSubmitting}
+      autoFocus
+    >
+      <ModalHeader>Authenticate with JWT</ModalHeader>
+      <ModalBody>
+        <FormControl
+          label="Cadence JWT"
+          caption="Paste a Cadence-compatible JWT issued by your identity provider."
+          error={error || null}
+        >
+          <Textarea
+            value={token}
+            onChange={(event) =>
+              setToken((event?.target as HTMLTextAreaElement)?.value || '')
+            }
+            clearOnEscape
+            disabled={isSubmitting}
+            rows={6}
+          />
+        </FormControl>
+      </ModalBody>
+      <ModalFooter>
+        <ModalButton kind="tertiary" onClick={onClose} disabled={isSubmitting}>
+          Cancel
+        </ModalButton>
+        <ModalButton
+          onClick={handleSubmit}
+          isLoading={isSubmitting}
+          data-testid="auth-token-submit"
+        >
+          Save token
+        </ModalButton>
+      </ModalFooter>
+    </Modal>
+  );
+}
diff --git a/src/components/snackbar-provider/snackbar-provider.tsx b/src/components/snackbar-provider/snackbar-provider.tsx
index 7119a11d5..80ca8a578 100644
--- a/src/components/snackbar-provider/snackbar-provider.tsx
+++ b/src/components/snackbar-provider/snackbar-provider.tsx
@@ -13,7 +13,7 @@ export default function SnackbarProvider({ children }: Props) {
     <BaseSnackbarProvider
       placement={PLACEMENT.bottom}
       overrides={overrides.snackbar}
-      defaultDuration={DURATION.infinite}
+      defaultDuration={DURATION.medium}
     >
       {children}
     </BaseSnackbarProvider>
diff --git a/src/config/dynamic/dynamic.config.ts b/src/config/dynamic/dynamic.config.ts
index 1c1134cdf..05dff2584 100644
--- a/src/config/dynamic/dynamic.config.ts
+++ b/src/config/dynamic/dynamic.config.ts
@@ -27,6 +27,7 @@ import workflowDiagnosticsEnabled from './resolvers/workflow-diagnostics-enabled
 const dynamicConfigs: {
   CADENCE_WEB_PORT: ConfigEnvDefinition;
   ADMIN_SECURITY_TOKEN: ConfigEnvDefinition;
+  CADENCE_WEB_RBAC_ENABLED: ConfigEnvDefinition;
   CLUSTERS: ConfigSyncResolverDefinition<
     undefined,
     ClustersConfigs,
@@ -90,6 +91,10 @@ const dynamicConfigs: {
     env: 'CADENCE_ADMIN_SECURITY_TOKEN',
     default: '',
   },
+  CADENCE_WEB_RBAC_ENABLED: {
+    env: 'CADENCE_WEB_RBAC_ENABLED',
+    default: 'false',
+  },
   CLUSTERS: {
     resolver: clusters,
     evaluateOn: 'serverStart',
diff --git a/src/hooks/use-domain-access/use-domain-access.ts b/src/hooks/use-domain-access/use-domain-access.ts
new file mode 100644
index 000000000..7c3b649b4
--- /dev/null
+++ b/src/hooks/use-domain-access/use-domain-access.ts
@@ -0,0 +1,59 @@
+'use client';
+import { useMemo } from 'react';
+
+import { useQuery } from '@tanstack/react-query';
+
+import { getDomainAccessForUser } from '@/utils/auth/auth-shared';
+import getDomainDescriptionQueryOptions from '@/views/shared/hooks/use-domain-description/get-domain-description-query-options';
+import { type UseDomainDescriptionParams } from '@/views/shared/hooks/use-domain-description/use-domain-description.types';
+
+import useUserInfo from '../use-user-info/use-user-info';
+
+export default function useDomainAccess(params: UseDomainDescriptionParams) {
+  const userInfoQuery = useUserInfo();
+  const isRbacEnabled = userInfoQuery.data?.rbacEnabled === true;
+
+  const domainQuery = useQuery({
+    ...getDomainDescriptionQueryOptions(params),
+    enabled: isRbacEnabled,
+  });
+
+  const access = useMemo(() => {
+    if (userInfoQuery.isError) {
+      return { canRead: false, canWrite: false };
+    }
+
+    if (!userInfoQuery.data) {
+      return undefined;
+    }
+
+    if (!userInfoQuery.data.rbacEnabled) {
+      return { canRead: true, canWrite: true };
+    }
+
+    if (domainQuery.data) {
+      return getDomainAccessForUser(domainQuery.data, userInfoQuery.data);
+    }
+
+    if (domainQuery.isError) {
+      return { canRead: false, canWrite: false };
+    }
+
+    return undefined;
+  }, [
+    domainQuery.data,
+    domainQuery.isError,
+    userInfoQuery.data,
+    userInfoQuery.isError,
+  ]);
+
+  const isLoading =
+    userInfoQuery.isLoading || (isRbacEnabled && domainQuery.isLoading);
+
+  return {
+    access,
+    isLoading,
+    isError: userInfoQuery.isError || domainQuery.isError,
+    userInfoQuery,
+  };
+}
diff --git a/src/hooks/use-user-info/use-user-info.ts b/src/hooks/use-user-info/use-user-info.ts
new file mode 100644
index 000000000..54d65e994
--- /dev/null
+++ b/src/hooks/use-user-info/use-user-info.ts
@@ -0,0 +1,17 @@
+'use client';
+import { useQuery } from '@tanstack/react-query';
+
+import { type PublicAuthContext } from '@/utils/auth/auth-shared';
+import request from '@/utils/request';
+import { type RequestError } from '@/utils/request/request-error';
+
+export default function useUserInfo() {
+  return useQuery<PublicAuthContext, RequestError>({
+    queryKey: ['auth', 'me'],
+    queryFn: async () => {
+      const res = await request('/api/auth/me', { method: 'GET' });
+      return res.json();
+    },
+    staleTime: 30_000,
+  });
+}
diff --git a/src/route-handlers/start-workflow/__tests__/start-workflow.node.ts b/src/route-handlers/start-workflow/__tests__/start-workflow.node.ts
index 3d7a6b306..50e40e234 100644
--- a/src/route-handlers/start-workflow/__tests__/start-workflow.node.ts
+++ b/src/route-handlers/start-workflow/__tests__/start-workflow.node.ts
@@ -308,6 +308,9 @@ async function setup({
     },
     userInfo: {
       id: 'test-user-id',
+      rbacEnabled: false,
+      isAdmin: true,
+      groups: [],
     },
   };
 
diff --git a/src/utils/auth/__tests__/auth-context.test.ts b/src/utils/auth/__tests__/auth-context.test.ts
new file mode 100644
index 000000000..ad49dd5eb
--- /dev/null
+++ b/src/utils/auth/__tests__/auth-context.test.ts
@@ -0,0 +1,515 @@
+import { type Domain } from '@/__generated__/proto-ts/uber/cadence/api/v1/Domain';
+import {
+  CADENCE_AUTH_COOKIE_NAME,
+  decodeCadenceJwtClaims,
+  getDomainAccessForUser,
+  getPublicAuthContext,
+  getGrpcMetadataFromAuth,
+  resolveAuthContext,
+} from '@/utils/auth/auth-context';
+import getConfigValue from '@/utils/config/get-config-value';
+
+jest.mock('@/utils/config/get-config-value');
+
+const mockGetConfigValue = getConfigValue as jest.MockedFunction<
+  typeof getConfigValue
+>;
+
+const buildToken = (claims: Record<string, unknown>) => {
+  const payload = Buffer.from(JSON.stringify(claims)).toString('base64url');
+  return ['header', payload, 'signature'].join('.');
+};
+
+const buildTokenWithNonJsonPayload = (payloadText: string) => {
+  const payload = Buffer.from(payloadText).toString('base64url');
+  return ['header', payload, 'signature'].join('.');
+};
+
+describe('auth-context utilities', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  describe(resolveAuthContext.name, () => {
+    it('returns unauthenticated context when RBAC is disabled', async () => {
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'false';
+        return '';
+      });
+
+      const authContext = await resolveAuthContext({
+        get: () => undefined,
+      });
+
+      expect(authContext).toMatchObject({
+        rbacEnabled: false,
+        isAdmin: false,
+        token: undefined,
+        groups: [],
+      });
+    });
+
+    it('prefers cookie token when RBAC is enabled', async () => {
+      const token = buildToken({
+        name: 'cookie-user',
+        groups: ['worker'],
+        Admin: true,
+      });
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
+        return '';
+      });
+
+      const authContext = await resolveAuthContext({
+        get: (name: string) =>
+          name === CADENCE_AUTH_COOKIE_NAME ? { value: token } : undefined,
+      });
+
+      expect(authContext).toMatchObject({
+        rbacEnabled: true,
+        isAdmin: true,
+        token,
+        groups: ['worker'],
+        userName: 'cookie-user',
+      });
+    });
+
+    it('returns unauthenticated context when cookie is missing', async () => {
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
+        return '';
+      });
+
+      const authContext = await resolveAuthContext({
+        get: () => undefined,
+      });
+
+      expect(authContext).toMatchObject({
+        rbacEnabled: true,
+        token: undefined,
+      });
+    });
+
+    it('treats undecodable tokens as unauthenticated', async () => {
+      const token = buildTokenWithNonJsonPayload('not-json');
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
+        return '';
+      });
+
+      const authContext = await resolveAuthContext({
+        get: (name: string) =>
+          name === CADENCE_AUTH_COOKIE_NAME ? { value: token } : undefined,
+      });
+
+      expect(authContext).toMatchObject({
+        rbacEnabled: true,
+        token: undefined,
+        groups: [],
+        isAdmin: false,
+        userName: undefined,
+      });
+    });
+
+    it('treats expired tokens as unauthenticated', async () => {
+      const nowMs = 1_700_000_000_000;
+      const dateNowSpy = jest.spyOn(Date, 'now').mockReturnValue(nowMs);
+
+      const token = buildToken({
+        sub: 'expired-user',
+        groups: ['worker'],
+        Admin: true,
+        exp: Math.floor(nowMs / 1000) - 10,
+      });
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
+        return '';
+      });
+
+      const authContext = await resolveAuthContext({
+        get: (name: string) =>
+          name === CADENCE_AUTH_COOKIE_NAME ? { value: token } : undefined,
+      });
+
+      expect(authContext).toMatchObject({
+        rbacEnabled: true,
+        token: undefined,
+        isAdmin: false,
+        groups: [],
+        userName: undefined,
+        expiresAtMs: undefined,
+      });
+
+      dateNowSpy.mockRestore();
+    });
+
+    it('exposes expiresAtMs for valid tokens', async () => {
+      const nowMs = 1_700_000_000_000;
+      const dateNowSpy = jest.spyOn(Date, 'now').mockReturnValue(nowMs);
+      const expSeconds = Math.floor(nowMs / 1000) + 60;
+
+      const token = buildToken({
+        sub: 'exp-user',
+        exp: expSeconds,
+      });
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
+        return '';
+      });
+
+      const authContext = await resolveAuthContext({
+        get: (name: string) =>
+          name === CADENCE_AUTH_COOKIE_NAME ? { value: token } : undefined,
+      });
+
+      expect(authContext.expiresAtMs).toBe(expSeconds * 1000);
+
+      dateNowSpy.mockRestore();
+    });
+
+    it('handles capitalized Groups claim with comma-separated string', async () => {
+      const token = buildToken({
+        sub: 'reader',
+        Groups: 'readers, auditors',
+        Admin: false,
+      });
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
+        return '';
+      });
+
+      const authContext = await resolveAuthContext({
+        get: (name: string) =>
+          name === CADENCE_AUTH_COOKIE_NAME ? { value: token } : undefined,
+      });
+
+      expect(authContext.groups).toEqual(['readers', 'auditors']);
+      expect(authContext.isAdmin).toBe(false);
+    });
+
+    it('handles capitalized Groups claim with space-separated string', async () => {
+      const token = buildToken({
+        sub: 'reader',
+        Groups: 'readers auditors',
+        Admin: false,
+      });
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'true';
+        return '';
+      });
+
+      const authContext = await resolveAuthContext({
+        get: (name: string) =>
+          name === CADENCE_AUTH_COOKIE_NAME ? { value: token } : undefined,
+      });
+
+      expect(authContext.groups).toEqual(['readers', 'auditors']);
+      expect(authContext.isAdmin).toBe(false);
+    });
+
+    it('still forwards cookie token when RBAC is disabled', async () => {
+      const token = buildToken({
+        sub: 'legacy-admin',
+        Admin: true,
+      });
+      mockGetConfigValue.mockImplementation(async (key: string) => {
+        if (key === 'CADENCE_WEB_RBAC_ENABLED') return 'false';
+        return '';
+      });
+
+      const authContext = await resolveAuthContext({
+        get: (name: string) =>
+          name === CADENCE_AUTH_COOKIE_NAME ? { value: token } : undefined,
+      });
+
+      expect(authContext.token).toBe(token);
+      expect(authContext.isAdmin).toBe(true);
+    });
+  });
+
+  describe(decodeCadenceJwtClaims.name, () => {
+    it('returns undefined for invalid tokens', () => {
+      expect(decodeCadenceJwtClaims('invalid.token')).toBeUndefined();
+    });
+
+    it('decodes valid payloads', () => {
+      const claims = { name: 'ben', groups: ['payer'], Admin: true };
+      const token = buildToken(claims);
+
+      expect(decodeCadenceJwtClaims(token)).toMatchObject(claims);
+    });
+  });
+
+  describe(getDomainAccessForUser.name, () => {
+    const baseDomain: Domain = {
+      id: 'id',
+      name: 'test',
+      status: 'DOMAIN_STATUS_REGISTERED',
+      description: '',
+      ownerEmail: '',
+      data: {},
+      workflowExecutionRetentionPeriod: null,
+      badBinaries: null,
+      historyArchivalStatus: 'ARCHIVAL_STATUS_DISABLED',
+      historyArchivalUri: '',
+      visibilityArchivalStatus: 'ARCHIVAL_STATUS_DISABLED',
+      visibilityArchivalUri: '',
+      activeClusterName: '',
+      clusters: [],
+      failoverVersion: '0',
+      isGlobalDomain: false,
+      failoverInfo: null,
+      isolationGroups: null,
+      asyncWorkflowConfig: null,
+      activeClusters: null,
+    };
+
+    it('allows open domains when RBAC is disabled', () => {
+      const access = getDomainAccessForUser(baseDomain, {
+        rbacEnabled: false,
+        isAdmin: false,
+        groups: [],
+        token: 'abc',
+      });
+
+      expect(access).toEqual({ canRead: true, canWrite: true });
+    });
+
+    it('allows admin users', () => {
+      const access = getDomainAccessForUser(
+        { ...baseDomain, data: { READ_GROUPS: '["worker"]' } },
+        {
+          rbacEnabled: true,
+          isAdmin: true,
+          groups: [],
+        }
+      );
+
+      expect(access).toEqual({ canRead: true, canWrite: true });
+    });
+
+    it('respects read/write groups', () => {
+      const access = getDomainAccessForUser(
+        {
+          ...baseDomain,
+          data: {
+            READ_GROUPS: '["reader"]',
+            WRITE_GROUPS: '["writer"]',
+          },
+        },
+        {
+          rbacEnabled: true,
+          isAdmin: false,
+          groups: ['reader'],
+          token: 'abc',
+        }
+      );
+
+      expect(access).toEqual({ canRead: true, canWrite: false });
+    });
+
+    it('requires group membership for restricted domains even when RBAC is disabled', () => {
+      const access = getDomainAccessForUser(
+        {
+          ...baseDomain,
+          data: {
+            READ_GROUPS: '["reader"]',
+            WRITE_GROUPS: '["writer"]',
+          },
+        },
+        {
+          rbacEnabled: false,
+          isAdmin: false,
+          groups: [],
+          token: 'abc',
+        }
+      );
+
+      expect(access).toEqual({ canRead: true, canWrite: true });
+    });
+
+    it('grants write access when write group matches', () => {
+      const access = getDomainAccessForUser(
+        {
+          ...baseDomain,
+          data: {
+            READ_GROUPS: '["reader"]',
+            WRITE_GROUPS: '["writer"]',
+          },
+        },
+        {
+          rbacEnabled: true,
+          isAdmin: false,
+          groups: ['writer'],
+          token: 'abc',
+        }
+      );
+
+      expect(access).toEqual({ canRead: true, canWrite: true });
+    });
+
+    it('requires write group when only WRITE_GROUPS are defined', () => {
+      const access = getDomainAccessForUser(
+        {
+          ...baseDomain,
+          data: {
+            WRITE_GROUPS: '["writer"]',
+          },
+        },
+        {
+          rbacEnabled: true,
+          isAdmin: false,
+          groups: [],
+          token: 'abc',
+        }
+      );
+
+      expect(access).toEqual({ canRead: false, canWrite: false });
+    });
+
+    it('allows write group to read/write when only WRITE_GROUPS are defined', () => {
+      const access = getDomainAccessForUser(
+        {
+          ...baseDomain,
+          data: {
+            WRITE_GROUPS: '["writer"]',
+          },
+        },
+        {
+          rbacEnabled: true,
+          isAdmin: false,
+          groups: ['writer'],
+          token: 'abc',
+        }
+      );
+
+      expect(access).toEqual({ canRead: true, canWrite: true });
+    });
+
+    it('treats read-only groups as viewers when no write groups are set', () => {
+      const access = getDomainAccessForUser(
+        {
+          ...baseDomain,
+          data: {
+            READ_GROUPS: '["viewer"]',
+          },
+        },
+        {
+          rbacEnabled: true,
+          isAdmin: false,
+          groups: ['viewer'],
+          token: 'abc',
+        }
+      );
+
+      expect(access).toEqual({ canRead: true, canWrite: false });
+    });
+
+    it('supports PublicAuthContext for authenticated users', () => {
+      const access = getDomainAccessForUser(
+        {
+          ...baseDomain,
+          data: {
+            READ_GROUPS: '["reader"]',
+            WRITE_GROUPS: '["writer"]',
+          },
+        },
+        {
+          rbacEnabled: true,
+          isAdmin: false,
+          groups: ['writer'],
+          isAuthenticated: true,
+        }
+      );
+
+      expect(access).toEqual({ canRead: true, canWrite: true });
+    });
+
+    it('parses space-separated groups in domain metadata', () => {
+      const access = getDomainAccessForUser(
+        {
+          ...baseDomain,
+          data: {
+            READ_GROUPS: 'reader viewer',
+            WRITE_GROUPS: 'writer',
+          },
+        },
+        {
+          rbacEnabled: true,
+          isAdmin: false,
+          groups: ['writer'],
+          token: 'abc',
+        }
+      );
+
+      expect(access).toEqual({ canRead: true, canWrite: true });
+    });
+
+    it('denies unauthenticated users even for open domains', () => {
+      const access = getDomainAccessForUser(baseDomain, {
+        rbacEnabled: true,
+        isAdmin: false,
+        groups: [],
+        token: undefined,
+      });
+
+      expect(access).toEqual({ canRead: false, canWrite: false });
+    });
+
+    it('denies open domains when RBAC is enabled and not authenticated', () => {
+      const access = getDomainAccessForUser(baseDomain, {
+        rbacEnabled: true,
+        isAdmin: false,
+        groups: [],
+        token: undefined,
+      });
+
+      expect(access).toEqual({ canRead: false, canWrite: false });
+    });
+  });
+
+  describe(getPublicAuthContext.name, () => {
+    it('omits private fields but preserves flags', () => {
+      const authContext = {
+        rbacEnabled: true,
+        token: 'secret',
+        groups: ['worker'],
+        isAdmin: true,
+        userName: 'worker',
+        id: 'worker',
+      };
+
+      expect(getPublicAuthContext(authContext)).toEqual({
+        rbacEnabled: true,
+        groups: ['worker'],
+        isAdmin: true,
+        userName: 'worker',
+        id: 'worker',
+        isAuthenticated: true,
+      });
+    });
+  });
+
+  describe(getGrpcMetadataFromAuth.name, () => {
+    it('returns metadata when token is present', () => {
+      expect(
+        getGrpcMetadataFromAuth({
+          token: 'abc',
+          groups: [],
+          isAdmin: false,
+          rbacEnabled: true,
+        })
+      ).toEqual({ 'cadence-authorization': 'abc' });
+    });
+
+    it('returns undefined when token is missing', () => {
+      expect(
+        getGrpcMetadataFromAuth({
+          rbacEnabled: true,
+          groups: [],
+          isAdmin: false,
+        })
+      ).toBeUndefined();
+    });
+  });
+});
diff --git a/src/utils/auth/auth-context.ts b/src/utils/auth/auth-context.ts
new file mode 100644
index 000000000..59f89d653
--- /dev/null
+++ b/src/utils/auth/auth-context.ts
@@ -0,0 +1,131 @@
+import 'server-only';
+
+import { cookies as getRequestCookies } from 'next/headers';
+
+import { type GRPCMetadata } from '@/utils/grpc/grpc-service';
+
+import getConfigValue from '../config/get-config-value';
+
+import {
+  splitGroupList,
+  type CadenceJwtClaims,
+  type PublicAuthContext,
+  type UserAuthContext,
+} from './auth-shared';
+
+export const CADENCE_AUTH_COOKIE_NAME = 'cadence-authorization';
+
+type CookieReader = {
+  get: (name: string) => { value: string } | undefined;
+};
+
+const parseBooleanFlag = (value: string) =>
+  value?.toLowerCase() === 'true' || value === '1';
+
+export function decodeCadenceJwtClaims(
+  token: string
+): CadenceJwtClaims | undefined {
+  const [, payload] = token.split('.');
+  if (!payload) {
+    return undefined;
+  }
+
+  try {
+    const normalizedPayload = payload.replace(/-/g, '+').replace(/_/g, '/');
+    const paddedPayload =
+      normalizedPayload + '='.repeat((4 - (normalizedPayload.length % 4)) % 4);
+    const decodedPayload = Buffer.from(paddedPayload, 'base64').toString(
+      'utf8'
+    );
+
+    return JSON.parse(decodedPayload) as CadenceJwtClaims;
+  } catch {
+    return undefined;
+  }
+}
+
+export async function resolveAuthContext(
+  cookieStore?: CookieReader
+): Promise<UserAuthContext> {
+  const rbacEnabled = parseBooleanFlag(
+    (await getConfigValue('CADENCE_WEB_RBAC_ENABLED')) ?? 'false'
+  );
+
+  const cookies = cookieStore ?? getRequestCookies();
+  const tokenFromCookie = cookies.get(CADENCE_AUTH_COOKIE_NAME)?.value?.trim();
+  const token = tokenFromCookie || undefined;
+
+  const claims = token ? decodeCadenceJwtClaims(token) : undefined;
+  const isInvalidToken = token !== undefined && claims === undefined;
+  const expiresAtMsRaw =
+    typeof claims?.exp === 'number' ? claims.exp * 1000 : undefined;
+  const isExpired =
+    expiresAtMsRaw !== undefined && Date.now() >= expiresAtMsRaw;
+  const shouldDropToken = isInvalidToken || isExpired;
+  const effectiveClaims = shouldDropToken ? undefined : claims;
+  const expiresAtMs = shouldDropToken ? undefined : expiresAtMsRaw;
+  const effectiveToken = shouldDropToken ? undefined : token;
+
+  const normalizeGroups = (): string[] => {
+    const raw = effectiveClaims?.groups ?? effectiveClaims?.Groups;
+    if (!raw) return [];
+    if (Array.isArray(raw)) {
+      return raw
+        .flatMap((g) => splitGroupList(typeof g === 'string' ? g : `${g}`))
+        .filter(Boolean);
+    }
+    if (typeof raw === 'string') {
+      return splitGroupList(raw);
+    }
+    return [];
+  };
+  const groups = normalizeGroups();
+  const userName =
+    (typeof effectiveClaims?.name === 'string' && effectiveClaims.name) ||
+    (typeof effectiveClaims?.sub === 'string' && effectiveClaims.sub) ||
+    undefined;
+  const isAdmin = effectiveClaims?.Admin === true;
+
+  return {
+    rbacEnabled,
+    token: effectiveToken,
+    groups,
+    isAdmin,
+    userName,
+    id: userName,
+    expiresAtMs,
+  };
+}
+
+export function getGrpcMetadataFromAuth(
+  authContext: UserAuthContext | null | undefined
+): GRPCMetadata | undefined {
+  if (!authContext?.token) {
+    return undefined;
+  }
+
+  return {
+    'cadence-authorization': authContext.token,
+  };
+}
+
+export const getPublicAuthContext = (
+  authContext: UserAuthContext
+): PublicAuthContext => ({
+  rbacEnabled: authContext.rbacEnabled,
+  groups: authContext.groups,
+  isAdmin: authContext.isAdmin,
+  userName: authContext.userName,
+  id: authContext.id,
+  ...(typeof authContext.expiresAtMs === 'number'
+    ? { expiresAtMs: authContext.expiresAtMs }
+    : {}),
+  isAuthenticated: Boolean(authContext.token),
+});
+
+export { getDomainAccessForUser } from './auth-shared';
+export type {
+  CadenceJwtClaims,
+  PublicAuthContext,
+  UserAuthContext,
+} from './auth-shared';
diff --git a/src/utils/auth/auth-shared.ts b/src/utils/auth/auth-shared.ts
new file mode 100644
index 000000000..114425fcf
--- /dev/null
+++ b/src/utils/auth/auth-shared.ts
@@ -0,0 +1,117 @@
+import { type Domain } from '@/__generated__/proto-ts/uber/cadence/api/v1/Domain';
+
+export type CadenceJwtClaims = {
+  Admin?: boolean;
+  exp?: number;
+  groups?: unknown;
+  name?: string;
+  sub?: string;
+  [key: string]: unknown;
+};
+
+type BaseAuthContext = {
+  rbacEnabled: boolean;
+  groups: string[];
+  isAdmin: boolean;
+  userName?: string;
+  id?: string;
+  expiresAtMs?: number;
+};
+
+export type PublicAuthContext = BaseAuthContext & {
+  isAuthenticated: boolean;
+};
+
+export type UserAuthContext = BaseAuthContext & {
+  token?: string;
+};
+
+export const splitGroupList = (raw: string) =>
+  raw
+    .split(/[,\s]+/g)
+    .map((g) => g.trim())
+    .filter((g) => g.length > 0);
+
+const parseGroups = (rawValue?: string) => {
+  if (!rawValue) return [] as string[];
+  try {
+    const parsed = JSON.parse(rawValue);
+    if (Array.isArray(parsed)) {
+      return parsed
+        .flatMap((item) => splitGroupList(`${item}`.trim()))
+        .filter((item) => item.length > 0);
+    }
+  } catch {
+    // fall through to comma split
+  }
+  return splitGroupList(rawValue);
+};
+
+const getDomainDataValue = (domain: Domain, keys: string[]) => {
+  for (const key of keys) {
+    const value = domain.data?.[key];
+    if (typeof value === 'string' && value.trim().length > 0) {
+      return value;
+    }
+  }
+  return undefined;
+};
+
+export const getDomainAccessForUser = (
+  domain: Domain,
+  authContext: UserAuthContext | PublicAuthContext | null | undefined
+) => {
+  if (!authContext?.rbacEnabled) {
+    return {
+      canRead: true,
+      canWrite: true,
+    };
+  }
+
+  const isAuthenticated =
+    typeof (authContext as PublicAuthContext | undefined)?.isAuthenticated ===
+    'boolean'
+      ? (authContext as PublicAuthContext).isAuthenticated
+      : Boolean((authContext as UserAuthContext | undefined)?.token);
+
+  if (authContext?.isAdmin) {
+    return {
+      canRead: true,
+      canWrite: true,
+    };
+  }
+
+  if (!isAuthenticated) {
+    return {
+      canRead: false,
+      canWrite: false,
+    };
+  }
+
+  const readGroups = parseGroups(
+    getDomainDataValue(domain, ['READ_GROUPS', 'read_groups', 'readGroups'])
+  );
+  const writeGroups = parseGroups(
+    getDomainDataValue(domain, ['WRITE_GROUPS', 'write_groups', 'writeGroups'])
+  );
+
+  const userGroups = authContext?.groups ?? [];
+  if (readGroups.length === 0 && writeGroups.length === 0) {
+    return {
+      canRead: false,
+      canWrite: false,
+    };
+  }
+
+  const effectiveReadGroups = readGroups.length > 0 ? readGroups : writeGroups;
+  const hasWriteGroup = writeGroups.some((g) => userGroups.includes(g));
+  const hasReadGroup = effectiveReadGroups.some((g) => userGroups.includes(g));
+
+  const canRead = hasReadGroup || hasWriteGroup;
+  const canWrite = writeGroups.length > 0 ? hasWriteGroup : false;
+
+  return {
+    canRead,
+    canWrite,
+  };
+};
diff --git a/src/utils/config/__fixtures__/resolved-config-values.ts b/src/utils/config/__fixtures__/resolved-config-values.ts
index f002ad4b0..c19c2d920 100644
--- a/src/utils/config/__fixtures__/resolved-config-values.ts
+++ b/src/utils/config/__fixtures__/resolved-config-values.ts
@@ -3,6 +3,7 @@ import { type LoadedConfigResolvedValues } from '../config.types';
 const mockResolvedConfigValues: LoadedConfigResolvedValues = {
   ADMIN_SECURITY_TOKEN: 'mock-secret',
   CADENCE_WEB_PORT: '3000',
+  CADENCE_WEB_RBAC_ENABLED: 'false',
   CLUSTERS: [
     {
       clusterName: 'mock-cluster1',
diff --git a/src/utils/route-handlers-middleware/config/route-handlers-default-middlewares.config.ts b/src/utils/route-handlers-middleware/config/route-handlers-default-middlewares.config.ts
index d022b55a6..1ca530ddc 100644
--- a/src/utils/route-handlers-middleware/config/route-handlers-default-middlewares.config.ts
+++ b/src/utils/route-handlers-middleware/config/route-handlers-default-middlewares.config.ts
@@ -6,8 +6,8 @@ import { type UserInfoMiddlewareContext } from '../middlewares/user-info.types';
 import { type MiddlewareFunction } from '../route-handlers-middleware.types';
 
 const routeHandlersDefaultMiddlewares: [
-  MiddlewareFunction<['grpcClusterMethods', GRPCClusterMethods]>,
   MiddlewareFunction<['userInfo', UserInfoMiddlewareContext]>,
-] = [grpcClusterMethodsMiddleware, userInfoMiddleware];
+  MiddlewareFunction<['grpcClusterMethods', GRPCClusterMethods]>,
+] = [userInfoMiddleware, grpcClusterMethodsMiddleware];
 
 export default routeHandlersDefaultMiddlewares;
diff --git a/src/utils/route-handlers-middleware/middlewares/__tests__/user-info.test.ts b/src/utils/route-handlers-middleware/middlewares/__tests__/user-info.test.ts
new file mode 100644
index 000000000..c16624b44
--- /dev/null
+++ b/src/utils/route-handlers-middleware/middlewares/__tests__/user-info.test.ts
@@ -0,0 +1,94 @@
+import {
+  getGrpcMetadataFromAuth,
+  resolveAuthContext,
+} from '@/utils/auth/auth-context';
+
+import userInfoMiddleware from '../user-info';
+
+jest.mock('@/utils/auth/auth-context', () => ({
+  resolveAuthContext: jest.fn(),
+  getGrpcMetadataFromAuth: jest.fn(),
+}));
+
+const mockRequest = {
+  cookies: {
+    get: jest.fn(),
+  },
+} as any;
+
+describe('user-info middleware', () => {
+  beforeEach(() => {
+    jest.clearAllMocks();
+  });
+
+  it('returns auth context and sets grpc metadata when available', async () => {
+    const mockAuthContext = {
+      rbacEnabled: true,
+      token: 'abc',
+      isAdmin: false,
+      groups: [],
+    };
+    (resolveAuthContext as jest.Mock).mockResolvedValue(mockAuthContext);
+    (getGrpcMetadataFromAuth as jest.Mock).mockReturnValue({
+      'cadence-authorization': 'abc',
+    });
+
+    const ctx: Record<string, unknown> = {};
+    const result = await userInfoMiddleware(
+      mockRequest,
+      { params: {} } as any,
+      ctx
+    );
+
+    expect(result).toEqual(['userInfo', mockAuthContext]);
+    expect(ctx.grpcMetadata).toEqual({
+      'cadence-authorization': 'abc',
+    });
+  });
+
+  it('merges existing grpc metadata', async () => {
+    (resolveAuthContext as jest.Mock).mockResolvedValue({
+      rbacEnabled: true,
+      token: 'xyz',
+      isAdmin: false,
+      groups: [],
+    });
+    (getGrpcMetadataFromAuth as jest.Mock).mockReturnValue({
+      'cadence-authorization': 'xyz',
+    });
+
+    const ctx: Record<string, unknown> = { grpcMetadata: { existing: 'true' } };
+    await userInfoMiddleware(mockRequest, { params: {} } as any, ctx);
+
+    expect(ctx.grpcMetadata).toEqual({
+      existing: 'true',
+      'cadence-authorization': 'xyz',
+    });
+  });
+
+  it('skips grpc metadata when not provided', async () => {
+    (resolveAuthContext as jest.Mock).mockResolvedValue({
+      rbacEnabled: false,
+      isAdmin: false,
+      groups: [],
+    });
+    (getGrpcMetadataFromAuth as jest.Mock).mockReturnValue(undefined);
+
+    const ctx: Record<string, unknown> = {};
+    const result = await userInfoMiddleware(
+      mockRequest,
+      { params: {} } as any,
+      ctx
+    );
+
+    expect(result).toEqual([
+      'userInfo',
+      {
+        rbacEnabled: false,
+        isAdmin: false,
+        groups: [],
+      },
+    ]);
+    expect(ctx.grpcMetadata).toBeUndefined();
+  });
+});
diff --git a/src/utils/route-handlers-middleware/middlewares/user-info.ts b/src/utils/route-handlers-middleware/middlewares/user-info.ts
index 2fb3fe2b4..574582ae9 100644
--- a/src/utils/route-handlers-middleware/middlewares/user-info.ts
+++ b/src/utils/route-handlers-middleware/middlewares/user-info.ts
@@ -1,12 +1,30 @@
+import {
+  getGrpcMetadataFromAuth,
+  resolveAuthContext,
+} from '@/utils/auth/auth-context';
+
+import isObjectOfStringKeyValue from '../helpers/is-object-of-string-key-value';
 import { type MiddlewareFunction } from '../route-handlers-middleware.types';
 
 import { type UserInfoMiddlewareContext } from './user-info.types';
 
 const userInfo: MiddlewareFunction<
   ['userInfo', UserInfoMiddlewareContext]
-> = async () => {
-  // Placeholder for user info middleware, to be implemented after integrating auth
-  return ['userInfo', null];
+> = async (request, _options, ctx) => {
+  const authContext = await resolveAuthContext(request.cookies);
+
+  const authMetadata = getGrpcMetadataFromAuth(authContext);
+  if (authMetadata) {
+    const existingMetadata = isObjectOfStringKeyValue(ctx.grpcMetadata)
+      ? ctx.grpcMetadata
+      : {};
+    ctx.grpcMetadata = {
+      ...existingMetadata,
+      ...authMetadata,
+    };
+  }
+
+  return ['userInfo', authContext];
 };
 
 export default userInfo;
diff --git a/src/utils/route-handlers-middleware/middlewares/user-info.types.ts b/src/utils/route-handlers-middleware/middlewares/user-info.types.ts
index 97d2eac05..b698c31e0 100644
--- a/src/utils/route-handlers-middleware/middlewares/user-info.types.ts
+++ b/src/utils/route-handlers-middleware/middlewares/user-info.types.ts
@@ -1,3 +1,3 @@
-export type UserInfoMiddlewareContext = {
-  id: string;
-} | null;
+import { type UserAuthContext } from '@/utils/auth/auth-context';
+
+export type UserInfoMiddlewareContext = UserAuthContext;
diff --git a/src/views/domain-page/domain-page-start-workflow-button/__tests__/domain-page-start-workflow-button.test.tsx b/src/views/domain-page/domain-page-start-workflow-button/__tests__/domain-page-start-workflow-button.test.tsx
index 4228f9741..3f77b2eb2 100644
--- a/src/views/domain-page/domain-page-start-workflow-button/__tests__/domain-page-start-workflow-button.test.tsx
+++ b/src/views/domain-page/domain-page-start-workflow-button/__tests__/domain-page-start-workflow-button.test.tsx
@@ -200,6 +200,20 @@ function setup(
 
   const renderResult = render(<DomainPageStartWorkflowButton {...props} />, {
     endpointsMocks: [
+      {
+        path: '/api/auth/me',
+        httpMethod: 'GET',
+        httpResolver: async () =>
+          HttpResponse.json(
+            {
+              rbacEnabled: false,
+              isAuthenticated: false,
+              isAdmin: false,
+              groups: [],
+            },
+            { status: 200 }
+          ),
+      },
       {
         path: '/api/config',
         httpMethod: 'GET',
diff --git a/src/views/domain-page/domain-page-start-workflow-button/domain-page-start-workflow-button.tsx b/src/views/domain-page/domain-page-start-workflow-button/domain-page-start-workflow-button.tsx
index 0680dcae1..9673496ee 100644
--- a/src/views/domain-page/domain-page-start-workflow-button/domain-page-start-workflow-button.tsx
+++ b/src/views/domain-page/domain-page-start-workflow-button/domain-page-start-workflow-button.tsx
@@ -5,6 +5,7 @@ import { StatefulTooltip } from 'baseui/tooltip';
 
 import Button from '@/components/button/button';
 import useConfigValue from '@/hooks/use-config-value/use-config-value';
+import useDomainAccess from '@/hooks/use-domain-access/use-domain-access';
 import { startWorkflowActionConfig } from '@/views/workflow-actions/config/workflow-actions.config';
 import getActionDisabledReason from '@/views/workflow-actions/workflow-actions-menu/helpers/get-action-disabled-reason';
 import WorkflowActionsModal from '@/views/workflow-actions/workflow-actions-modal/workflow-actions-modal';
@@ -26,9 +27,16 @@ export default function DomainPageStartWorkflowButton({
     domain,
     cluster,
   });
+  const { access, isLoading: isAccessLoading } = useDomainAccess({
+    domain,
+    cluster,
+  });
 
   const disabledReason = getActionDisabledReason({
-    actionEnabledConfig: actionsEnabledConfig?.start,
+    actionEnabledConfig:
+      access?.canWrite === false
+        ? 'DISABLED_UNAUTHORIZED'
+        : actionsEnabledConfig?.start,
     actionRunnableStatus: 'RUNNABLE',
   });
 
@@ -48,7 +56,11 @@ export default function DomainPageStartWorkflowButton({
             size="compact"
             kind="secondary"
             loadingIndicatorType="skeleton"
-            isLoading={isActionsEnabledLoading || isActionsEnabledError}
+            isLoading={
+              isActionsEnabledLoading ||
+              isActionsEnabledError ||
+              isAccessLoading
+            }
             disabled={Boolean(disabledReason)}
             startEnhancer={<startWorkflowActionConfig.icon size={16} />}
             aria-label={disabledReason ?? undefined}
diff --git a/src/views/domain-workflows/__tests__/domain-workflows.test.tsx b/src/views/domain-workflows/__tests__/domain-workflows.test.tsx
index 55b21476a..e41eede09 100644
--- a/src/views/domain-workflows/__tests__/domain-workflows.test.tsx
+++ b/src/views/domain-workflows/__tests__/domain-workflows.test.tsx
@@ -30,28 +30,42 @@ describe('DomainWorkflows', () => {
     expect(await screen.findByText('Advanced Workflows')).toBeInTheDocument();
   });
 
-  it('should throw on error', async () => {
-    let renderErrorMessage;
-    try {
-      await act(async () => {
-        await setup({ error: true });
+  it('should fall back to basic workflows when cluster info fails', async () => {
+    await act(async () => {
+      await setup({ error: true });
+    });
+
+    expect(await screen.findByText('Basic Workflows')).toBeInTheDocument();
+  });
+
+  it('skips cluster fetch for non-admin token when RBAC is disabled', async () => {
+    await act(async () => {
+      await setup({
+        rbacEnabled: false,
+        isAuthenticated: true,
+        isAdmin: false,
+        skipClusterRequest: true,
       });
-    } catch (error) {
-      if (error instanceof Error) {
-        renderErrorMessage = error.message;
-      }
-    }
+    });
 
-    expect(renderErrorMessage).toEqual('Failed to fetch cluster info');
+    expect(await screen.findByText('Basic Workflows')).toBeInTheDocument();
   });
 });
 
 async function setup({
   isAdvancedVisibility = false,
   error,
+  rbacEnabled = false,
+  isAuthenticated = false,
+  isAdmin = false,
+  skipClusterRequest = false,
 }: {
   error?: boolean;
   isAdvancedVisibility?: boolean;
+  rbacEnabled?: boolean;
+  isAuthenticated?: boolean;
+  isAdmin?: boolean;
+  skipClusterRequest?: boolean;
 }) {
   const props: DomainPageTabContentProps = {
     domain: 'test-domain',
@@ -65,6 +79,17 @@ async function setup({
     {
       endpointsMocks: [
         {
+          path: '/api/auth/me',
+          httpMethod: 'GET',
+          mockOnce: false,
+          jsonResponse: {
+            rbacEnabled,
+            isAuthenticated,
+            isAdmin,
+            groups: [],
+          },
+        },
+        !skipClusterRequest && {
           path: '/api/clusters/test-cluster',
           httpMethod: 'GET',
           mockOnce: false,
@@ -95,7 +120,7 @@ async function setup({
                 } satisfies DescribeClusterResponse,
               }),
         },
-      ],
+      ].filter(Boolean) as any,
     }
   );
 }
diff --git a/src/views/domain-workflows/domain-workflows.tsx b/src/views/domain-workflows/domain-workflows.tsx
index 06b4ee95d..5e972e47b 100644
--- a/src/views/domain-workflows/domain-workflows.tsx
+++ b/src/views/domain-workflows/domain-workflows.tsx
@@ -1,8 +1,10 @@
+'use client';
 import React, { useMemo } from 'react';
 
-import { useSuspenseQuery } from '@tanstack/react-query';
+import { useQuery } from '@tanstack/react-query';
 import dynamic from 'next/dynamic';
 
+import useUserInfo from '@/hooks/use-user-info/use-user-info';
 import { type DescribeClusterResponse } from '@/route-handlers/describe-cluster/describe-cluster.types';
 import request from '@/utils/request';
 import { type DomainPageTabContentProps } from '@/views/domain-page/domain-page-content/domain-page-content.types';
@@ -18,15 +20,27 @@ const DomainWorkflowsAdvanced = dynamic(
 );
 
 export default function DomainWorkflows(props: DomainPageTabContentProps) {
-  const { data } = useSuspenseQuery<DescribeClusterResponse>({
+  const { data: authInfo } = useUserInfo();
+
+  const isAdmin = authInfo?.isAdmin === true;
+  const isRbacEnabled = authInfo?.rbacEnabled === true;
+  const isAuthenticated = authInfo?.isAuthenticated === true;
+
+  const shouldFetchClusterInfo =
+    Boolean(authInfo) && (isAdmin || (!isRbacEnabled && !isAuthenticated));
+
+  const { data: clusterInfo } = useQuery<DescribeClusterResponse>({
     queryKey: ['describeCluster', props],
     queryFn: () =>
       request(`/api/clusters/${props.cluster}`).then((res) => res.json()),
+    enabled: shouldFetchClusterInfo,
+    retry: false,
   });
 
   const isAdvancedVisibilityEnabled = useMemo(() => {
-    return isClusterAdvancedVisibilityEnabled(data);
-  }, [data]);
+    if (!clusterInfo) return false;
+    return isClusterAdvancedVisibilityEnabled(clusterInfo);
+  }, [clusterInfo]);
 
   const DomainWorkflowsComponent = isAdvancedVisibilityEnabled
     ? DomainWorkflowsAdvanced
diff --git a/src/views/domain-workflows/helpers/is-cluster-advanced-visibility-enabled.ts b/src/views/domain-workflows/helpers/is-cluster-advanced-visibility-enabled.ts
index 6f6b0d588..1e04ffaf4 100644
--- a/src/views/domain-workflows/helpers/is-cluster-advanced-visibility-enabled.ts
+++ b/src/views/domain-workflows/helpers/is-cluster-advanced-visibility-enabled.ts
@@ -1,8 +1,9 @@
 import type { DescribeClusterResponse } from '@/route-handlers/describe-cluster/describe-cluster.types';
 
 export default function isClusterAdvancedVisibilityEnabled(
-  cluster: DescribeClusterResponse
+  cluster?: DescribeClusterResponse
 ) {
+  if (!cluster) return false;
   const clusterVisibilityFeatures =
     cluster.persistenceInfo?.visibilityStore?.features || [];
 
diff --git a/src/views/domains-page/domains-page.tsx b/src/views/domains-page/domains-page.tsx
index 17f596624..73e8c4969 100644
--- a/src/views/domains-page/domains-page.tsx
+++ b/src/views/domains-page/domains-page.tsx
@@ -2,6 +2,7 @@ import React, { Suspense } from 'react';
 
 import AsyncPropsLoader from '@/components/async-props-loader/async-props-loader';
 import SectionLoadingIndicator from '@/components/section-loading-indicator/section-loading-indicator';
+import { resolveAuthContext } from '@/utils/auth/auth-context';
 
 import DomainsPageContextProvider from './domains-page-context-provider/domains-page-context-provider';
 import DomainsPageErrorBanner from './domains-page-error-banner/domains-page-error-banner';
@@ -12,6 +13,9 @@ import DomainsTable from './domains-table/domains-table';
 import { getCachedAllDomains } from './helpers/get-all-domains';
 
 export default async function DomainsPage() {
+  const authContext = await resolveAuthContext();
+  const loadDomains = () => getCachedAllDomains(authContext);
+
   return (
     <DomainsPageContextProvider>
       <DomainsPageTitle
@@ -20,7 +24,7 @@ export default async function DomainsPage() {
             <AsyncPropsLoader
               component={DomainsPageTitleBadge}
               getAsyncProps={async () => {
-                const res = await getCachedAllDomains();
+                const res = await loadDomains();
                 return { content: res.domains.length };
               }}
             />
@@ -32,7 +36,7 @@ export default async function DomainsPage() {
         <AsyncPropsLoader
           component={DomainsPageErrorBanner}
           getAsyncProps={async () => {
-            const res = await getCachedAllDomains();
+            const res = await loadDomains();
             return { failedClusters: res.failedClusters };
           }}
         />
@@ -41,7 +45,7 @@ export default async function DomainsPage() {
         <AsyncPropsLoader
           component={DomainsTable}
           getAsyncProps={async () => {
-            const res = await getCachedAllDomains();
+            const res = await loadDomains();
             return { domains: res.domains };
           }}
         />
diff --git a/src/views/domains-page/helpers/get-all-domains.ts b/src/views/domains-page/helpers/get-all-domains.ts
index ac8fd5a95..9f1c17812 100644
--- a/src/views/domains-page/helpers/get-all-domains.ts
+++ b/src/views/domains-page/helpers/get-all-domains.ts
@@ -4,6 +4,11 @@ import 'server-only';
 // eslint-disable-next-line import/named
 import { cache } from 'react';
 
+import {
+  getDomainAccessForUser,
+  getGrpcMetadataFromAuth,
+  type UserAuthContext,
+} from '@/utils/auth/auth-context';
 import getConfigValue from '@/utils/config/get-config-value';
 import * as grpcClient from '@/utils/grpc/grpc-client';
 import { GRPCError } from '@/utils/grpc/grpc-error';
@@ -14,11 +19,14 @@ import getUniqueDomains from './get-unique-domains';
 
 const MAX_DOMAINS_TO_FETCH = 2000;
 
-export const getAllDomains = async () => {
+export const getAllDomains = async (authContext: UserAuthContext) => {
   const CLUSTERS_CONFIGS = await getConfigValue('CLUSTERS');
   const results = await Promise.allSettled(
     CLUSTERS_CONFIGS.map(async ({ clusterName }) => {
-      const clusterMethods = await grpcClient.getClusterMethods(clusterName);
+      const clusterMethods = await grpcClient.getClusterMethods(
+        clusterName,
+        getGrpcMetadataFromAuth(authContext)
+      );
 
       return clusterMethods
         .listDomains({ pageSize: MAX_DOMAINS_TO_FETCH })
@@ -46,9 +54,14 @@ export const getAllDomains = async () => {
         );
     })
   );
+
+  const uniqueDomains = getUniqueDomains(
+    results.flatMap((res) => (res.status === 'fulfilled' ? res.value : []))
+  );
+
   return {
-    domains: getUniqueDomains(
-      results.flatMap((res) => (res.status === 'fulfilled' ? res.value : []))
+    domains: uniqueDomains.filter(
+      (domain) => getDomainAccessForUser(domain, authContext).canRead
     ),
     failedClusters: CLUSTERS_CONFIGS.map((config) => ({
       clusterName: config.clusterName,
diff --git a/src/views/redirect-domain/__tests__/redirect-domain.node.ts b/src/views/redirect-domain/__tests__/redirect-domain.node.ts
index 71768edb1..dd4a92c16 100644
--- a/src/views/redirect-domain/__tests__/redirect-domain.node.ts
+++ b/src/views/redirect-domain/__tests__/redirect-domain.node.ts
@@ -50,15 +50,20 @@ jest.mock('next/navigation', () => ({
   },
 }));
 
-jest.mock(
-  '@/views/domains-page/helpers/get-all-domains',
-  jest.fn(() => ({
-    getCachedAllDomains: jest.fn(() => ({
-      domains: MOCK_ALL_DOMAINS,
-      failedClusters: [],
-    })),
-  }))
-);
+jest.mock('@/utils/auth/auth-context', () => ({
+  resolveAuthContext: jest.fn(async () => ({
+    rbacEnabled: false,
+    isAdmin: false,
+    groups: [],
+  })),
+}));
+
+jest.mock('@/views/domains-page/helpers/get-all-domains', () => ({
+  getCachedAllDomains: jest.fn(async () => ({
+    domains: MOCK_ALL_DOMAINS,
+    failedClusters: [],
+  })),
+}));
 
 describe(RedirectDomain.name, () => {
   const tests: Array<{
diff --git a/src/views/redirect-domain/redirect-domain.tsx b/src/views/redirect-domain/redirect-domain.tsx
index 90601572b..c4d5344f1 100644
--- a/src/views/redirect-domain/redirect-domain.tsx
+++ b/src/views/redirect-domain/redirect-domain.tsx
@@ -1,6 +1,8 @@
 import { notFound, redirect } from 'next/navigation';
 import queryString from 'query-string';
 
+import { resolveAuthContext } from '@/utils/auth/auth-context';
+
 import { getCachedAllDomains } from '../domains-page/helpers/get-all-domains';
 
 import { type Props } from './redirect-domain.types';
@@ -13,7 +15,8 @@ export default async function RedirectDomain(props: Props) {
 
   const domain = decodeURIComponent(encodedDomain);
 
-  const { domains } = await getCachedAllDomains();
+  const authContext = await resolveAuthContext();
+  const { domains } = await getCachedAllDomains(authContext);
 
   const [domainDetails, ...restDomains] = domains.filter(
     (d) => d.name === domain
diff --git a/src/views/shared/hooks/use-domain-description/use-domain-description.ts b/src/views/shared/hooks/use-domain-description/use-domain-description.ts
new file mode 100644
index 000000000..3fca33c74
--- /dev/null
+++ b/src/views/shared/hooks/use-domain-description/use-domain-description.ts
@@ -0,0 +1,11 @@
+'use client';
+import { useQuery } from '@tanstack/react-query';
+
+import getDomainDescriptionQueryOptions from './get-domain-description-query-options';
+import { type UseDomainDescriptionParams } from './use-domain-description.types';
+
+export default function useDomainDescription(
+  params: UseDomainDescriptionParams
+) {
+  return useQuery(getDomainDescriptionQueryOptions(params));
+}
diff --git a/src/views/workflow-actions/__tests__/workflow-actions.test.tsx b/src/views/workflow-actions/__tests__/workflow-actions.test.tsx
index 165dbfc58..6788fa2e0 100644
--- a/src/views/workflow-actions/__tests__/workflow-actions.test.tsx
+++ b/src/views/workflow-actions/__tests__/workflow-actions.test.tsx
@@ -4,6 +4,7 @@ import { HttpResponse } from 'msw';
 
 import { render, screen, userEvent, waitFor } from '@/test-utils/rtl';
 
+import { mockDomainDescription } from '@/views/domain-page/__fixtures__/domain-description';
 import { mockDescribeWorkflowResponse } from '@/views/workflow-page/__fixtures__/describe-workflow-response';
 
 import { mockWorkflowDetailsParams } from '../../workflow-page/__fixtures__/workflow-details-params';
@@ -132,6 +133,26 @@ function setup({
           }
         },
       },
+      {
+        path: '/api/domains/:domain/:cluster',
+        httpMethod: 'GET',
+        httpResolver: () =>
+          HttpResponse.json(mockDomainDescription, { status: 200 }),
+      },
+      {
+        path: '/api/auth/me',
+        httpMethod: 'GET',
+        httpResolver: () =>
+          HttpResponse.json(
+            {
+              rbacEnabled: false,
+              isAuthenticated: false,
+              isAdmin: false,
+              groups: [],
+            },
+            { status: 200 }
+          ),
+      },
       {
         path: '/api/config',
         httpMethod: 'GET',
diff --git a/src/views/workflow-actions/workflow-actions-menu/__tests__/workflow-actions-menu.test.tsx b/src/views/workflow-actions/workflow-actions-menu/__tests__/workflow-actions-menu.test.tsx
index e9b6f52cb..f61335da0 100644
--- a/src/views/workflow-actions/workflow-actions-menu/__tests__/workflow-actions-menu.test.tsx
+++ b/src/views/workflow-actions/workflow-actions-menu/__tests__/workflow-actions-menu.test.tsx
@@ -129,12 +129,25 @@ describe(WorkflowActionsMenu.name, () => {
       expect.objectContaining({ id: 'cancel' })
     );
   });
+
+  it('disables actions when write access is blocked', () => {
+    setup({
+      actionsEnabledConfig: mockResolvedConfigValues.WORKFLOW_ACTIONS_ENABLED,
+      isWriteAuthorized: false,
+    });
+
+    const menuButtons = screen.getAllByRole('button');
+    expect(menuButtons[0]).toBeDisabled();
+    expect(menuButtons[1]).toBeDisabled();
+  });
 });
 
 function setup({
   actionsEnabledConfig,
+  isWriteAuthorized = true,
 }: {
   actionsEnabledConfig?: WorkflowActionsEnabledConfig;
+  isWriteAuthorized?: boolean;
 }) {
   const user = userEvent.setup();
   const mockOnActionSelect = jest.fn();
@@ -143,6 +156,7 @@ function setup({
     <WorkflowActionsMenu
       workflow={mockDescribeWorkflowResponse}
       {...(actionsEnabledConfig && { actionsEnabledConfig })}
+      isWriteAuthorized={isWriteAuthorized}
       onActionSelect={mockOnActionSelect}
     />
   );
diff --git a/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.tsx b/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.tsx
index 1d964e845..15850cf74 100644
--- a/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.tsx
+++ b/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.tsx
@@ -10,13 +10,16 @@ import { type Props } from './workflow-actions-menu.types';
 export default function WorkflowActionsMenu({
   workflow,
   actionsEnabledConfig,
+  isWriteAuthorized = true,
   onActionSelect,
 }: Props) {
   return (
     <styled.MenuItemsContainer>
       {workflowActionsConfig.map((action) => {
         const actionDisabledReason = getActionDisabledReason({
-          actionEnabledConfig: actionsEnabledConfig?.[action.id],
+          actionEnabledConfig: isWriteAuthorized
+            ? actionsEnabledConfig?.[action.id]
+            : 'DISABLED_UNAUTHORIZED',
           actionRunnableStatus: workflow
             ? action.getRunnableStatus(workflow)
             : undefined,
diff --git a/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.types.ts b/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.types.ts
index bebdaa33b..4dc8f41c7 100644
--- a/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.types.ts
+++ b/src/views/workflow-actions/workflow-actions-menu/workflow-actions-menu.types.ts
@@ -6,5 +6,6 @@ import { type WorkflowAction } from '../workflow-actions.types';
 export type Props = {
   workflow?: DescribeWorkflowResponse;
   actionsEnabledConfig?: WorkflowActionsEnabledConfig;
+  isWriteAuthorized?: boolean;
   onActionSelect: (action: WorkflowAction<any, any, any>) => void;
 };
diff --git a/src/views/workflow-actions/workflow-actions.tsx b/src/views/workflow-actions/workflow-actions.tsx
index c1b596075..774e31a52 100644
--- a/src/views/workflow-actions/workflow-actions.tsx
+++ b/src/views/workflow-actions/workflow-actions.tsx
@@ -11,6 +11,7 @@ import { MdArrowDropDown } from 'react-icons/md';
 
 import Button from '@/components/button/button';
 import useConfigValue from '@/hooks/use-config-value/use-config-value';
+import useDomainAccess from '@/hooks/use-domain-access/use-domain-access';
 import { useDescribeWorkflow } from '@/views/workflow-page/hooks/use-describe-workflow';
 import { type WorkflowPageParams } from '@/views/workflow-page/workflow-page.types';
 
@@ -42,6 +43,10 @@ export default function WorkflowActions() {
       domain: params.domain,
       cluster: params.cluster,
     });
+  const { access, isLoading: isAccessLoading } = useDomainAccess({
+    domain: params.domain,
+    cluster: params.cluster,
+  });
 
   const [selectedAction, setSelectedAction] = useState<
     WorkflowAction<any, any, any> | undefined
@@ -60,6 +65,7 @@ export default function WorkflowActions() {
           <WorkflowActionsMenu
             workflow={workflow}
             actionsEnabledConfig={actionsEnabledConfig}
+            isWriteAuthorized={access?.canWrite !== false}
             onActionSelect={(action) => {
               setSelectedAction(action);
               close();
@@ -74,7 +80,9 @@ export default function WorkflowActions() {
           kind="secondary"
           endEnhancer={<MdArrowDropDown size={20} />}
           loadingIndicatorType="skeleton"
-          isLoading={isWorkflowLoading || isActionsEnabledLoading}
+          isLoading={
+            isWorkflowLoading || isActionsEnabledLoading || isAccessLoading
+          }
         >
           Workflow Actions
         </Button>