Do I need a paid OpenAI key?

No. The embeddings run locally through sentence-transformers and the chat model runs through OpenRouter. A single OpenRouter key covers the whole course, and free-tier models work for every lesson.

Is this production-ready?

It is closer to production than a notebook but not a drop-in enterprise system. The JSON-file user store, opaque session tokens, and in-memory rate limiter are pedagogical choices. Module 8 walks through the upgrades: Postgres, JWT, audit logs, and per-role limits.

Why Gradio and not FastAPI?

Gradio gives us a working three-tab UI in under 200 lines so you can focus on the RBAC and retrieval pieces, not on building login forms. One of the stretch challenges migrates the same backend modules to FastAPI if you prefer that shape.

Can I run this without Docker?

Yes. The course uses uv, a pyproject.toml, and a Makefile. `make dev` runs locally without Docker. The Docker setup is there for anyone who wants to demo the app to a teammate in one command.

47% OFFYearly Pro

$30/mo$16/mobilled yearlyGet Pro

47% OFFYearly Pro$30/mo$16/mobilled yearlyGet Pro

47% OFFYearly Pro

$30/mo$16/mobilled yearlyGet Pro

47% OFFYearly Pro$30/mo$16/mobilled yearlyGet Pro

Premium course

Ship an RBAC-gated RAG chatbot your team can actually trust

Name: Build an RBAC-gated RAG chatbot
Price: 49 USD
Availability: InStock

Stop hand-waving about access control. Build a chatbot where finance queries cannot retrieve engineering docs, where sessions expire, where rate limits hold under load, and where admins manage users and documents from the same UI.

Enroll Preview curriculum

Still deciding? Ask first.

Message a mentor about fit, prerequisites, or where to start. Replies come on WhatsApp, usually within a day.

Curriculum fit, prerequisites, or where to start
Honest answer, no pressure to enroll

Engineers are learning here from

NVIDIAMICROSOFTGRABWISEPIPEDRIVEBOLTGLIA

Ship a role-gated RAG chatbot where finance, engineering, and admin users see only their own documents. Session auth, sliding-window rate limits, ChromaDB retrieval per role, OpenRouter generation, and a Gradio admin panel.

Role-gated RAG chatbot: per-role document walls, session auth, rate limits, and an admin panel.

What you'll ship

Real projects, not toy demos.

A Gradio app with three tabs: login, role-gated chat, and admin panel
Per-role ChromaDB collections so retrieval itself enforces the access wall
PBKDF2-hashed auth with session tokens, account lockout, and per-user salts
A sliding-window rate limiter that applies per-username across the whole app
Role-aware system prompts that shape the model response to the caller's persona
An admin flow that adds users, assigns roles, and uploads new documents without dropping the session

What you'll learn

You finish able to:

Model role-based access control at the retrieval layer so the vector store is the enforcement boundary, not the UI
Hash passwords correctly with PBKDF2, per-user salts, and account lockout after repeated failures
Issue and validate session tokens with auto-renewing expiry and graceful logout
Run a per-collection ChromaDB setup with local sentence-transformers embeddings so onboarding needs one API key, not two
Shape a role-aware system prompt that gives the model the persona it is answering as
Wire a Gradio multi-tab UI that shares state across login, chat, and admin without custom routing
Apply a sliding-window rate limiter per username across the whole app lifecycle
Call OpenRouter through a small provider abstraction so swapping to OpenAI or Anthropic is a one-line change

Curriculum

What's inside.

01
Why RBAC + RAG
The leak problem, where the access boundary really lives, and the pipeline you will build
2 lessons
02
Project tour and setup
Clone the repo, tour the files, and take the first role-gated query end to end
2 lessons
03
Authentication foundations
PBKDF2, per-user salts, session tokens with auto-renewing expiry, and account lockout
2 lessons
04
Role-gated vectors
One ChromaDB collection per role and local sentence-transformers embeddings
2 lessons
05
RAG chain with role filter
The retrieval-to-response loop with a role-aware prompt and OpenRouter generation
2 lessons
06
Rate limiting
A sliding-window limiter per username that holds under concurrent load
1 lesson
07
The admin panel
Create users, assign roles, upload documents — without a redeploy
2 lessons
08
Ship it and extend
Capstone checkpoint, the four upgrades that take this to production, and where to go next
2 lessons

Who it's for

Is this for you?

Python engineers shipping an internal chatbot

who need per-team document walls before legal signs off on the rollout

AI bootcamp grads past "hello RAG"

looking for the first project that feels like enterprise software instead of a notebook

Backend engineers new to RAG

comfortable with auth and rate limits but unsure how retrieval itself enforces access

FAQ

Common questions.

Do I need a paid OpenAI key?
No. The embeddings run locally through sentence-transformers and the chat model runs through OpenRouter. A single OpenRouter key covers the whole course, and free-tier models work for every lesson.
Is this production-ready?
It is closer to production than a notebook but not a drop-in enterprise system. The JSON-file user store, opaque session tokens, and in-memory rate limiter are pedagogical choices. Module 8 walks through the upgrades: Postgres, JWT, audit logs, and per-role limits.
Why Gradio and not FastAPI?
Gradio gives us a working three-tab UI in under 200 lines so you can focus on the RBAC and retrieval pieces, not on building login forms. One of the stretch challenges migrates the same backend modules to FastAPI if you prefer that shape.
Can I run this without Docker?
Yes. The course uses uv, a pyproject.toml, and a Makefile. `make dev` runs locally without Docker. The Docker setup is there for anyone who wants to demo the app to a teammate in one command.

Pricing

Unlock this course with Pro.

One subscription unlocks every paid course and workshop replay. Pick yearly or monthly.

Unlock with Pro

$30$16/mo

You save 47% with regional pricing

Billed annually. Cancel anytime.

This course plus every paid course
Workshop replays in your library
New releases the day they ship

Still deciding? Ask Param a question

The chatbot your team actually asks for is not another RAG demo.

Role-gated RAG chatbot: per-role document walls, session auth, rate limits, and an admin panel.

Enroll

Build an RBAC-gated RAG chatbot

From $16/mo with Pro

47% OFFYearly Pro

$30/mo$16/mobilled yearlyGet Pro

47% OFFYearly Pro$30/mo$16/mobilled yearlyGet Pro

47% OFFYearly Pro

$30/mo$16/mobilled yearlyGet Pro

47% OFFYearly Pro$30/mo$16/mobilled yearlyGet Pro

Premium course

Ship an RBAC-gated RAG chatbot your team can actually trust

Enroll Preview curriculum

Still deciding? Ask first.

Message a mentor about fit, prerequisites, or where to start. Replies come on WhatsApp, usually within a day.

Curriculum fit, prerequisites, or where to start
Honest answer, no pressure to enroll

Engineers are learning here from

NVIDIAMICROSOFTGRABWISEPIPEDRIVEBOLTGLIA

Role-gated RAG chatbot: per-role document walls, session auth, rate limits, and an admin panel.

What you'll ship

Real projects, not toy demos.

A Gradio app with three tabs: login, role-gated chat, and admin panel
Per-role ChromaDB collections so retrieval itself enforces the access wall
PBKDF2-hashed auth with session tokens, account lockout, and per-user salts
A sliding-window rate limiter that applies per-username across the whole app
Role-aware system prompts that shape the model response to the caller's persona
An admin flow that adds users, assigns roles, and uploads new documents without dropping the session

What you'll learn

You finish able to:

Model role-based access control at the retrieval layer so the vector store is the enforcement boundary, not the UI
Hash passwords correctly with PBKDF2, per-user salts, and account lockout after repeated failures
Issue and validate session tokens with auto-renewing expiry and graceful logout
Run a per-collection ChromaDB setup with local sentence-transformers embeddings so onboarding needs one API key, not two
Shape a role-aware system prompt that gives the model the persona it is answering as
Wire a Gradio multi-tab UI that shares state across login, chat, and admin without custom routing
Apply a sliding-window rate limiter per username across the whole app lifecycle
Call OpenRouter through a small provider abstraction so swapping to OpenAI or Anthropic is a one-line change

Curriculum

What's inside.

01
Why RBAC + RAG
The leak problem, where the access boundary really lives, and the pipeline you will build
2 lessons
02
Project tour and setup
Clone the repo, tour the files, and take the first role-gated query end to end
2 lessons
03
Authentication foundations
PBKDF2, per-user salts, session tokens with auto-renewing expiry, and account lockout
2 lessons
04
Role-gated vectors
One ChromaDB collection per role and local sentence-transformers embeddings
2 lessons
05
RAG chain with role filter
The retrieval-to-response loop with a role-aware prompt and OpenRouter generation
2 lessons
06
Rate limiting
A sliding-window limiter per username that holds under concurrent load
1 lesson
07
The admin panel
Create users, assign roles, upload documents — without a redeploy
2 lessons
08
Ship it and extend
Capstone checkpoint, the four upgrades that take this to production, and where to go next
2 lessons

Who it's for

Is this for you?

Python engineers shipping an internal chatbot

who need per-team document walls before legal signs off on the rollout

AI bootcamp grads past "hello RAG"

looking for the first project that feels like enterprise software instead of a notebook

Backend engineers new to RAG

comfortable with auth and rate limits but unsure how retrieval itself enforces access

FAQ

Common questions.

Do I need a paid OpenAI key?
No. The embeddings run locally through sentence-transformers and the chat model runs through OpenRouter. A single OpenRouter key covers the whole course, and free-tier models work for every lesson.
Is this production-ready?
It is closer to production than a notebook but not a drop-in enterprise system. The JSON-file user store, opaque session tokens, and in-memory rate limiter are pedagogical choices. Module 8 walks through the upgrades: Postgres, JWT, audit logs, and per-role limits.
Why Gradio and not FastAPI?
Gradio gives us a working three-tab UI in under 200 lines so you can focus on the RBAC and retrieval pieces, not on building login forms. One of the stretch challenges migrates the same backend modules to FastAPI if you prefer that shape.
Can I run this without Docker?
Yes. The course uses uv, a pyproject.toml, and a Makefile. `make dev` runs locally without Docker. The Docker setup is there for anyone who wants to demo the app to a teammate in one command.

Pricing

Unlock this course with Pro.

One subscription unlocks every paid course and workshop replay. Pick yearly or monthly.

Unlock with Pro

$30$16/mo

You save 47% with regional pricing

Billed annually. Cancel anytime.

This course plus every paid course
Workshop replays in your library
New releases the day they ship

Still deciding? Ask Param a question

The chatbot your team actually asks for is not another RAG demo.

Role-gated RAG chatbot: per-role document walls, session auth, rate limits, and an admin panel.

Enroll

Build an RBAC-gated RAG chatbot

From $16/mo with Pro