diff --git a/frontend/src/app/actor-builds-list.tsx b/frontend/src/app/actor-builds-list.tsx
index 88f32790c4..a97719f086 100644
--- a/frontend/src/app/actor-builds-list.tsx
+++ b/frontend/src/app/actor-builds-list.tsx
@@ -139,7 +139,7 @@ export function ActorBuildsList() {
 							onClick={() => {
 								// eslint-disable-next-line @typescript-eslint/no-explicit-any
 								return (navigate as any)({
-									to: features.multitenancy
+									to: features.platform
 										? "/orgs/$organization/projects/$project/ns/$namespace"
 										: "/ns/$namespace",
 									search: (old: Record<string, unknown>) => ({
diff --git a/frontend/src/app/context-switcher.tsx b/frontend/src/app/context-switcher.tsx
index 86182fddd7..289390cfa6 100644
--- a/frontend/src/app/context-switcher.tsx
+++ b/frontend/src/app/context-switcher.tsx
@@ -73,7 +73,7 @@ function ContextSwitcherInner({
 }) {
 	const [isOpen, setIsOpen] = useState(false);
 
-	if (features.multitenancy) {
+	if (features.platform) {
 		// biome-ignore lint/correctness/useHookAtTopLevel: guaranteed by build condition
 		usePrefetchInfiniteQuery({
 			// biome-ignore lint/correctness/useHookAtTopLevel: guaranteed by build condition
diff --git a/frontend/src/app/dialogs/create-namespace-frame.tsx b/frontend/src/app/dialogs/create-namespace-frame.tsx
index 15afaf18f0..82011c2c08 100644
--- a/frontend/src/app/dialogs/create-namespace-frame.tsx
+++ b/frontend/src/app/dialogs/create-namespace-frame.tsx
@@ -15,7 +15,7 @@ const useCreateNamespace = ({ project: projectProp }: { project?: string }) => {
 	const navigate = useNavigate();
 	const params = useParams({ strict: false });
 
-	if (features.multitenancy) {
+	if (features.platform) {
 		// biome-ignore lint/correctness/useHookAtTopLevel: guarded by build constant
 		const orgDataProvider = useCloudDataProvider();
 		const targetProject = projectProp ?? params.project!;
diff --git a/frontend/src/app/dialogs/create-project-frame.tsx b/frontend/src/app/dialogs/create-project-frame.tsx
index b333f14506..6e614d20de 100644
--- a/frontend/src/app/dialogs/create-project-frame.tsx
+++ b/frontend/src/app/dialogs/create-project-frame.tsx
@@ -8,7 +8,7 @@ import { authClient } from "@/lib/auth";
 import { features } from "@/lib/features";
 
 const useDefaultOrg = () => {
-	if (features.multitenancy) {
+	if (features.platform) {
 		// biome-ignore lint/correctness/useHookAtTopLevel: guarded by build constant
 		const org = authClient.useActiveOrganization();
 		return org.data?.id;
diff --git a/frontend/src/app/dialogs/provide-engine-credentials-frame.tsx b/frontend/src/app/dialogs/provide-engine-credentials-frame.tsx
index a6fd539cb6..f2155c8ca1 100644
--- a/frontend/src/app/dialogs/provide-engine-credentials-frame.tsx
+++ b/frontend/src/app/dialogs/provide-engine-credentials-frame.tsx
@@ -8,10 +8,13 @@ import {
 	ls,
 	toast,
 } from "@/components";
+import { features } from "@/lib/features";
 import { queryClient } from "@/queries/global";
 import { TEST_IDS } from "@/utils/test-ids";
 import { createClient } from "../data-providers/engine-data-provider";
 
+const isEnterprise = features.acl && !features.platform;
+
 interface ProvideEngineCredentialsDialogContentProps
 	extends DialogContentProps {}
 
@@ -64,11 +67,15 @@ export default function ProvideEngineCredentialsDialogContent({
 			}}
 		>
 			<Frame.Header>
-				<Frame.Title>Missing Rivet Engine credentials</Frame.Title>
+				<Frame.Title>
+					{isEnterprise
+						? "Sign in to Rivet Engine"
+						: "Missing Rivet Engine credentials"}
+				</Frame.Title>
 				<Frame.Description>
-					It looks like the instance of Rivet Engine that you're
-					connected to requires additional credentials, please provide
-					them below.
+					{isEnterprise
+						? "Paste the dashboard token issued to you by your Rivet administrator. See the Rivet Enterprise RBAC documentation for how dashboard tokens are minted."
+						: "It looks like the instance of Rivet Engine that you're connected to requires additional credentials, please provide them below."}
 				</Frame.Description>
 			</Frame.Header>
 			<Frame.Content>
diff --git a/frontend/src/app/dialogs/tokens-frame.tsx b/frontend/src/app/dialogs/tokens-frame.tsx
index ecd5ffdb75..7da70d97dc 100644
--- a/frontend/src/app/dialogs/tokens-frame.tsx
+++ b/frontend/src/app/dialogs/tokens-frame.tsx
@@ -77,7 +77,7 @@ function SecretToken() {
 
 	const namespace = dataProvider.engineNamespace;
 
-	const endpoint = features.multitenancy
+	const endpoint = features.platform
 		? regions.find((r) => r.name === selectedDatacenter)?.url || cloudEnv().VITE_APP_API_URL
 		: getConfig().apiUrl;
 
@@ -134,7 +134,7 @@ function PublishableToken() {
 
 	const namespace = dataProvider.engineNamespace;
 
-	const endpoint = features.multitenancy
+	const endpoint = features.platform
 		? cloudEnv().VITE_APP_API_URL
 		: getConfig().apiUrl;
 
diff --git a/frontend/src/app/env-variables.stories.tsx b/frontend/src/app/env-variables.stories.tsx
new file mode 100644
index 0000000000..f0fb1e0601
--- /dev/null
+++ b/frontend/src/app/env-variables.stories.tsx
@@ -0,0 +1,144 @@
+import type { Story } from "@ladle/react";
+import "../../.ladle/ladle.css";
+import { DiscreteInput, TooltipProvider } from "@/components";
+import { Label } from "@/components/ui/label";
+import { PublishableTokenNotice } from "./env-variables";
+
+function Frame({ children }: { children: React.ReactNode }) {
+	return (
+		<TooltipProvider>
+			<div className="bg-background min-h-screen p-12">
+				<div className="max-w-3xl space-y-10">{children}</div>
+			</div>
+		</TooltipProvider>
+	);
+}
+
+function Section({
+	title,
+	children,
+}: {
+	title: string;
+	children: React.ReactNode;
+}) {
+	return (
+		<div className="space-y-2">
+			<h3 className="text-sm font-medium text-muted-foreground">
+				{title}
+			</h3>
+			<div className="rounded-md border bg-card p-4">{children}</div>
+		</div>
+	);
+}
+
+const NS = "localhost-ftji-production-ualj";
+const ADMIN_TOKEN = "sk_Km9XaQpL2tRZ3nVxYbCdEfGhJkMnPqRsTuVwXyZaBcDe";
+const PUBLISHABLE_TOKEN = "pk_ivU6QmAj3sKwLp1XnVxYbCdEfGhJkMnPqRsTuVwXyZ";
+const HOST = "engine.example.com";
+
+function MockEnvBlock({ publicDsn, secretDsn }: { publicDsn: string; secretDsn: string }) {
+	return (
+		<div className="gap-1 items-center grid grid-cols-2">
+			<Label asChild className="text-muted-foreground text-xs mb-1">
+				<p>Key</p>
+			</Label>
+			<Label asChild className="text-muted-foreground text-xs mb-1">
+				<p>Value</p>
+			</Label>
+			<DiscreteInput
+				aria-label="environment variable key"
+				value="RIVET_PUBLIC_ENDPOINT"
+				show
+			/>
+			<DiscreteInput
+				aria-label="environment variable value"
+				value={publicDsn}
+				show
+			/>
+			<DiscreteInput
+				aria-label="environment variable key"
+				value="RIVET_ENDPOINT"
+				show
+			/>
+			<DiscreteInput
+				aria-label="environment variable value"
+				value={secretDsn}
+				show
+			/>
+		</div>
+	);
+}
+
+export const PlainOss: Story = () => (
+	<Frame>
+		<Section title="Plain OSS — no auth, namespace-only public DSN">
+			<div className="space-y-3">
+				<MockEnvBlock
+					publicDsn={`https://${NS}@${HOST}`}
+					secretDsn={`https://${NS}:${ADMIN_TOKEN}@${HOST}`}
+				/>
+			</div>
+		</Section>
+	</Frame>
+);
+
+export const Cloud: Story = () => (
+	<Frame>
+		<Section title="Cloud — fetched publishable token">
+			<div className="space-y-3">
+				<MockEnvBlock
+					publicDsn={`https://${NS}:${PUBLISHABLE_TOKEN}@${HOST}`}
+					secretDsn={`https://${NS}:${ADMIN_TOKEN}@${HOST}`}
+				/>
+			</div>
+		</Section>
+	</Frame>
+);
+
+export const EnterpriseAcl: Story = () => (
+	<Frame>
+		<Section title="Enterprise (ACL, no platform API) — placeholder + RBAC notice">
+			<div className="space-y-3">
+				<PublishableTokenNotice />
+				<MockEnvBlock
+					publicDsn={`https://${NS}:<PUBLISHABLE_TOKEN>@${HOST}`}
+					secretDsn={`https://${NS}:${ADMIN_TOKEN}@${HOST}`}
+				/>
+			</div>
+		</Section>
+	</Frame>
+);
+
+export const NoticeOnly: Story = () => (
+	<Frame>
+		<Section title="Publishable token notice in isolation">
+			<PublishableTokenNotice />
+		</Section>
+	</Frame>
+);
+
+export const Gallery: Story = () => (
+	<Frame>
+		<Section title="Plain OSS">
+			<MockEnvBlock
+				publicDsn={`https://${NS}@${HOST}`}
+				secretDsn={`https://${NS}:${ADMIN_TOKEN}@${HOST}`}
+			/>
+		</Section>
+		<Section title="Cloud">
+			<MockEnvBlock
+				publicDsn={`https://${NS}:${PUBLISHABLE_TOKEN}@${HOST}`}
+				secretDsn={`https://${NS}:${ADMIN_TOKEN}@${HOST}`}
+			/>
+		</Section>
+		<Section title="Enterprise (ACL)">
+			<div className="space-y-3">
+				<PublishableTokenNotice />
+				<MockEnvBlock
+					publicDsn={`https://${NS}:<PUBLISHABLE_TOKEN>@${HOST}`}
+					secretDsn={`https://${NS}:${ADMIN_TOKEN}@${HOST}`}
+				/>
+			</div>
+		</Section>
+	</Frame>
+);
diff --git a/frontend/src/app/env-variables.tsx b/frontend/src/app/env-variables.tsx
index d210fcba18..ef589d440b 100644
--- a/frontend/src/app/env-variables.tsx
+++ b/frontend/src/app/env-variables.tsx
@@ -1,3 +1,4 @@
+import { faKey, Icon } from "@rivet-gg/icons";
 import { useId } from "react";
 import { Button, CopyTrigger, DiscreteInput, getConfig } from "@/components";
 import { useEngineCompatDataProvider } from "@/components/actors";
@@ -6,6 +7,8 @@ import { cloudEnv } from "@/lib/env";
 import { features } from "@/lib/features";
 import { useAdminToken, usePublishableToken } from "@/queries/accessors";
 
+const needsManualPublishableToken = features.acl && !features.platform;
+
 export function EnvVariables({
 	id: _id,
 	runnerName,
@@ -24,7 +27,10 @@ export function EnvVariables({
 	const rId = useId();
 	const id = _id || rId;
 	return (
-		<div>
+		<div className="space-y-3">
+			{showEndpoint && needsManualPublishableToken ? (
+				<PublishableTokenNotice />
+			) : null}
 			<div
 				className="gap-1 items-center grid grid-cols-2"
 				data-env-variables={id}
@@ -98,7 +104,7 @@ export const useRivetDsn = ({
 	endpoint?: string;
 	kind: "publishable" | "secret";
 }) => {
-	const globalEndpoint = features.multitenancy
+	const globalEndpoint = features.platform
 		? cloudEnv().VITE_APP_API_URL
 		: getConfig().apiUrl;
 
@@ -115,9 +121,9 @@ export const useRivetDsn = ({
 	const auth =
 		kind === "secret"
 			? `${namespace}:${adminToken}`
-			: !features.multitenancy
+			: !features.acl
 				? namespace
-				: `${namespace}:${publishableToken}`;
+				: `${namespace}:${publishableToken ?? "<PUBLISHABLE_TOKEN>"}`;
 
 	const dsn = `https://${auth}@${apiEndpoint
 		.replace("https://", "")
@@ -150,6 +156,28 @@ export function RivetPublicEndpointEnv({
 	);
 }
 
+export function PublishableTokenNotice() {
+	return (
+		<div className="flex gap-3 rounded-md border border-border bg-muted/30 p-3 text-sm">
+			<Icon
+				icon={faKey}
+				className="mt-0.5 shrink-0 text-muted-foreground"
+			/>
+			<div className="space-y-1">
+				<p className="font-medium">Publishable token required</p>
+				<p className="text-muted-foreground text-xs">
+					Replace{" "}
+					<code className="rounded bg-muted px-1 py-0.5 text-foreground">
+						{"<PUBLISHABLE_TOKEN>"}
+					</code>{" "}
+					in <code>RIVET_PUBLIC_ENDPOINT</code> with a token issued
+					through your Rivet Enterprise RBAC configuration.
+				</p>
+			</div>
+		</div>
+	);
+}
+
 export function RivetRunnerEndpointEnv({
 	prefix,
 	endpoint,
diff --git a/frontend/src/app/forms/engine-credentials-form.tsx b/frontend/src/app/forms/engine-credentials-form.tsx
index 570340203f..36f3b92572 100644
--- a/frontend/src/app/forms/engine-credentials-form.tsx
+++ b/frontend/src/app/forms/engine-credentials-form.tsx
@@ -9,6 +9,9 @@ import {
 	FormMessage,
 	Input,
 } from "@/components";
+import { features } from "@/lib/features";
+
+const isEnterprise = features.acl && !features.platform;
 
 export const formSchema = z.object({
 	token: z.string().nonempty("Token is required"),
@@ -31,10 +34,16 @@ export const Token = ({ className }: { className?: string }) => {
 			name="token"
 			render={({ field }) => (
 				<FormItem className={className}>
-					<FormLabel className="col-span-1">Token</FormLabel>
+					<FormLabel className="col-span-1">
+						{isEnterprise ? "Dashboard token" : "Admin token"}
+					</FormLabel>
 					<FormControl className="row-start-2">
 						<Input
-							placeholder="Enter a token..."
+							placeholder={
+								isEnterprise
+									? "Paste your dashboard token..."
+									: "Enter a token..."
+							}
 							type="password"
 							{...field}
 						/>
diff --git a/frontend/src/app/layout.tsx b/frontend/src/app/layout.tsx
index 5b06f82134..5f0ea85910 100644
--- a/frontend/src/app/layout.tsx
+++ b/frontend/src/app/layout.tsx
@@ -57,10 +57,9 @@ import type { HeaderLinkProps } from "@/components/header/header-link";
 import { authClient } from "@/lib/auth";
 import { features } from "@/lib/features";
 import { ensureTrailingSlash } from "@/lib/utils";
-import { TEST_IDS } from "@/utils/test-ids";
 import type { RivetActorError } from "@/queries/types";
+import { TEST_IDS } from "@/utils/test-ids";
 import { ActorBuildsList } from "./actor-builds-list";
-import { RunnerPoolErrorPopover } from "./runner-pool-error-popover";
 import { BillingLimitAlert } from "./billing/billing-limit-alert";
 import { BillingPlanBadge } from "./billing/billing-plan-badge";
 import { BillingUsageGauge } from "./billing/billing-usage-gauge";
@@ -68,6 +67,7 @@ import { Changelog } from "./changelog";
 import { ContextSwitcher } from "./context-switcher";
 import { HelpDropdown } from "./help-dropdown";
 import { NamespaceSelect } from "./namespace-select";
+import { RunnerPoolErrorPopover } from "./runner-pool-error-popover";
 import { UserDropdown } from "./user-dropdown";
 
 interface RootProps {
@@ -203,24 +203,25 @@ const Sidebar = ({
 				>
 					<Logo />
 					<div className="flex flex-1 flex-col gap-2 px-2 min-h-0">
-						{features.multitenancy
-							? <CloudSidebar />
-							: (
-								<>
-									<Breadcrumbs />
-									<ScrollArea>
-										<EngineSubnav />
-									</ScrollArea>
-								</>
-							)}
+						{features.platform ? (
+							<CloudSidebar />
+						) : (
+							<>
+								<Breadcrumbs />
+								<ScrollArea>
+									<EngineSubnav />
+								</ScrollArea>
+							</>
+						)}
 					</div>
 					<div>
 						<div className="border-t my-0.5 mx-2.5" />
 
-						{features.multitenancy ? (
+						{features.platform ? (
 							<>
 								<div className="flex gap-0.5 my-2 px-2.5 flex-col">
-									{features.billing && matchRoute({
+									{features.billing &&
+									matchRoute({
 										to: "/orgs/$organization/projects/$project/ns/$namespace",
 										fuzzy: true,
 										pending: false,
@@ -244,10 +245,11 @@ const Sidebar = ({
 												</div>
 											</Link>
 										</HeaderButton>
-									) : features.billing && matchRoute({
+									) : features.billing &&
+										matchRoute({
 											to: "/orgs/$organization/projects/$project",
-												fuzzy: true,
-												pending: false,
+											fuzzy: true,
+											pending: false,
 										}) ? (
 										<HeaderButton asChild>
 											<Link
@@ -317,118 +319,118 @@ const Sidebar = ({
 							</>
 						) : (
 							<div className="flex gap-0.5 my-2 px-2.5 flex-col">
-									{features.branding ? (
-										<Changelog>
-											<HeaderButton
-												startIcon={
-													<Icon
-														icon={faGift}
-														className="size-5 opacity-80 group-hover:opacity-100 transition-opacity"
-													/>
-												}
+								{features.branding ? (
+									<Changelog>
+										<HeaderButton
+											startIcon={
+												<Icon
+													icon={faGift}
+													className="size-5 opacity-80 group-hover:opacity-100 transition-opacity"
+												/>
+											}
+										>
+											<a
+												href="https://www.rivet.dev/changelog"
+												target="_blank"
+												rel="noopener"
 											>
-												<a
-													href="https://www.rivet.dev/changelog"
-													target="_blank"
-													rel="noopener"
-												>
-													What's new?
-													<Ping
-														className="relative -right-1"
-														data-changelog-ping
-													/>
-												</a>
-											</HeaderButton>
-										</Changelog>
-									) : null}
-									<HeaderButton
-										asChild
-										startIcon={
-											<Icon
-												icon={faMessageSmile}
-												className="size-5 opacity-80 group-hover:opacity-100 transition-opacity"
-											/>
-										}
+												What's new?
+												<Ping
+													className="relative -right-1"
+													data-changelog-ping
+												/>
+											</a>
+										</HeaderButton>
+									</Changelog>
+								) : null}
+								<HeaderButton
+									asChild
+									startIcon={
+										<Icon
+											icon={faMessageSmile}
+											className="size-5 opacity-80 group-hover:opacity-100 transition-opacity"
+										/>
+									}
+								>
+									<Link
+										to="."
+										search={(old) => ({
+											...old,
+											modal: "feedback",
+										})}
 									>
-										<Link
-											to="."
-											search={(old) => ({
-												...old,
-												modal: "feedback",
-											})}
-										>
-											Feedback
-										</Link>
-									</HeaderButton>
-									<HeaderButton
-										asChild
-										startIcon={
-											<Icon
-												icon={faBook}
-												className="size-5 opacity-80 group-hover:opacity-100 transition-opacity"
-											/>
-										}
-										endIcon={
-											<Icon
-												icon={faArrowUpRight}
-												className="ms-1"
-											/>
-										}
+										Feedback
+									</Link>
+								</HeaderButton>
+								<HeaderButton
+									asChild
+									startIcon={
+										<Icon
+											icon={faBook}
+											className="size-5 opacity-80 group-hover:opacity-100 transition-opacity"
+										/>
+									}
+									endIcon={
+										<Icon
+											icon={faArrowUpRight}
+											className="ms-1"
+										/>
+									}
+								>
+									<a
+										href="https://www.rivet.dev/docs"
+										target="_blank"
+										rel="noopener noreferrer"
 									>
-										<a
-											href="https://www.rivet.dev/docs"
-											target="_blank"
-											rel="noopener noreferrer"
-										>
-											Documentation
-										</a>
-									</HeaderButton>
-									<HeaderButton
-										asChild
-										startIcon={
-											<Icon
-												icon={faDiscord}
-												className="size-5 opacity-80 group-hover:opacity-100 transition-opacity"
-											/>
-										}
-										endIcon={
-											<Icon
-												icon={faArrowUpRight}
-												className="ms-1"
-											/>
-										}
+										Documentation
+									</a>
+								</HeaderButton>
+								<HeaderButton
+									asChild
+									startIcon={
+										<Icon
+											icon={faDiscord}
+											className="size-5 opacity-80 group-hover:opacity-100 transition-opacity"
+										/>
+									}
+									endIcon={
+										<Icon
+											icon={faArrowUpRight}
+											className="ms-1"
+										/>
+									}
+								>
+									<a
+										href="http://www.rivet.dev/discord"
+										target="_blank"
+										rel="noopener noreferrer"
 									>
-										<a
-											href="http://www.rivet.dev/discord"
-											target="_blank"
-											rel="noopener noreferrer"
-										>
-											Discord
-										</a>
-									</HeaderButton>
-									<HeaderButton
-										asChild
-										startIcon={
-											<Icon
-												icon={faGithub}
-												className="size-5 opacity-80 group-hover:opacity-100 transition-opacity"
-											/>
-										}
-										endIcon={
-											<Icon
-												icon={faArrowUpRight}
-												className="ms-1"
-											/>
-										}
+										Discord
+									</a>
+								</HeaderButton>
+								<HeaderButton
+									asChild
+									startIcon={
+										<Icon
+											icon={faGithub}
+											className="size-5 opacity-80 group-hover:opacity-100 transition-opacity"
+										/>
+									}
+									endIcon={
+										<Icon
+											icon={faArrowUpRight}
+											className="ms-1"
+										/>
+									}
+								>
+									<a
+										href="http://github.com/rivet-dev/rivet"
+										target="_blank"
+										rel="noopener noreferrer"
 									>
-										<a
-											href="http://github.com/rivet-dev/rivet"
-											target="_blank"
-											rel="noopener noreferrer"
-										>
-											GitHub
-										</a>
-									</HeaderButton>
+										GitHub
+									</a>
+								</HeaderButton>
 							</div>
 						)}
 					</div>
@@ -667,16 +669,14 @@ function CloudSidebarContentInner() {
 							to: "/orgs/$organization/projects/$project/ns/$namespace",
 							fuzzy: true,
 						}) ? (
-							<div className="flex items-center gap-1">
-								<HeaderLink
-									to="/orgs/$organization/projects/$project/ns/$namespace/settings"
-									className="flex-1 font-normal"
-									icon={faCog}
-								>
-									Settings
-								</HeaderLink>
+							<HeaderLink
+								to="/orgs/$organization/projects/$project/ns/$namespace/settings"
+								className="flex-1 font-normal items-center gap-1"
+								icon={faCog}
+							>
+								<span className="flex-1">Settings</span>
 								<RunnerConfigErrorIndicator />
-							</div>
+							</HeaderLink>
 						) : matchRoute({
 								to: "/orgs/$organization/projects/$project",
 								fuzzy: true,
diff --git a/frontend/src/components/actors/actor-inspector-context.tsx b/frontend/src/components/actors/actor-inspector-context.tsx
index 4caaf5c706..b8eee49b05 100644
--- a/frontend/src/components/actors/actor-inspector-context.tsx
+++ b/frontend/src/components/actors/actor-inspector-context.tsx
@@ -479,19 +479,26 @@ const replayWorkflowFromStepHttp = async ({
 	entryId,
 }: {
 	actorId: ActorId;
-	credentials: { url: string; inspectorToken: string };
+	credentials: { url: string; inspectorToken: string; token: string };
 	entryId?: string;
 }) => {
+	const headers: Record<string, string> = {
+		Authorization: `Bearer ${credentials.inspectorToken}`,
+		"Content-Type": "application/json",
+		"X-Rivet-Target": "actor",
+		"X-Rivet-Actor": actorId,
+	};
+	if (credentials.token) {
+		headers["x-rivet-token"] = credentials.token;
+	}
+
 	const response = await fetch(
 		new URL(
 			`${computeActorUrl({ url: credentials.url, actorId })}/inspector/workflow/replay`,
 		).href,
 		{
 			method: "POST",
-			headers: {
-				Authorization: `Bearer ${credentials.inspectorToken}`,
-				"Content-Type": "application/json",
-			},
+			headers,
 			signal: AbortSignal.timeout(10_000),
 			body: JSON.stringify(entryId ? { entryId } : {}),
 		},
@@ -888,6 +895,7 @@ export const ActorInspectorProvider = ({
 					credentials: {
 						url: credentials.url,
 						inspectorToken: credentials.inspectorToken,
+						token: credentials.token,
 					},
 					entryId,
 				});
diff --git a/frontend/src/components/actors/data-provider.tsx b/frontend/src/components/actors/data-provider.tsx
index 8717a647e1..a6434b1f3a 100644
--- a/frontend/src/components/actors/data-provider.tsx
+++ b/frontend/src/components/actors/data-provider.tsx
@@ -20,7 +20,7 @@ type CloudDataProvider = ReturnType<typeof createNamespaceCloudContext> &
 	ReturnType<typeof createGlobalCloudContext>;
 
 export const useDataProvider = (): EngineDataProvider | CloudDataProvider => {
-	if (features.multitenancy) {
+	if (features.platform) {
 		// biome-ignore lint/correctness/useHookAtTopLevel: guarded by build constant
 		return useLoaderData({
 			from: "/_context/orgs/$organization/projects/$project/ns/$namespace",
@@ -38,7 +38,7 @@ export const useDataProviderCheck = () => {
 	const matchRoute = useMatchRoute();
 	return matchRoute({
 		fuzzy: true,
-		to: features.multitenancy
+		to: features.platform
 			? "/orgs/$organization/projects/$project/ns/$namespace"
 			: "/ns/$namespace",
 	});
@@ -80,7 +80,7 @@ export const useCloudNamespaceDataProvider = () => {
 };
 
 export const useEngineCompatDataProvider = () => {
-	if (features.multitenancy) {
+	if (features.platform) {
 		// biome-ignore lint/correctness/useHookAtTopLevel: guarded by build constant
 		return useLoaderData({
 			from: "/_context/orgs/$organization/projects/$project/ns/$namespace",
diff --git a/frontend/src/components/actors/guard-connectable-inspector.tsx b/frontend/src/components/actors/guard-connectable-inspector.tsx
index 498d406540..a1ac1dee54 100644
--- a/frontend/src/components/actors/guard-connectable-inspector.tsx
+++ b/frontend/src/components/actors/guard-connectable-inspector.tsx
@@ -23,13 +23,11 @@ import {
 	useMemo,
 } from "react";
 import { match, P } from "ts-pattern";
-import { useLocalStorage } from "usehooks-ts";
 import { HelpDropdown } from "@/app/help-dropdown";
 import { isRivetApiError } from "@/lib/errors";
 import { features } from "@/lib/features";
 import { DiscreteCopyButton } from "../copy-area";
-import { getConfig, useConfig } from "../lib/config";
-import { ls } from "../lib/utils";
+import { useConfig } from "../lib/config";
 import { ShimmerLine } from "../shimmer-line";
 import { Button } from "../ui/button";
 import { useFiltersValue } from "./actor-filters-context";
@@ -524,20 +522,18 @@ function useActorRunner({ actorId }: { actorId: ActorId }) {
 }
 
 function useEngineToken() {
-	if (features.multitenancy) {
+	if (features.platform) {
 		const { data } = useQuery(
 			useRouteContext({
 				from: "/_context/orgs/$organization/projects/$project/ns/$namespace",
 			}).dataProvider.publishableTokenQueryOptions(),
 		);
-		return data;
+		return data || "";
 	}
-	const [data] = useLocalStorage(
-		ls.engineCredentials.key(getConfig().apiUrl),
-		"",
-		{ serializer: JSON.stringify, deserializer: JSON.parse },
+	const { data } = useQuery(
+		useEngineCompatDataProvider().engineAdminTokenQueryOptions(),
 	);
-	return data?.token || "";
+	return data || "";
 }
 
 function useEngineUrl() {
diff --git a/frontend/src/components/actors/no-providers-alert.tsx b/frontend/src/components/actors/no-providers-alert.tsx
index d3426e0d7b..ad141dd72a 100644
--- a/frontend/src/components/actors/no-providers-alert.tsx
+++ b/frontend/src/components/actors/no-providers-alert.tsx
@@ -29,7 +29,7 @@ export function NoProvidersAlert({
 			<div className="flex flex-col items-center justify-center gap-2">
 				{variant === "default" ? (
 					<>
-						{features.multitenancy ? (
+						{features.platform ? (
 							<Button size="sm" asChild className="w-full">
 								<Link
 									to="/orgs/$organization/projects/$project/ns/$namespace/settings"
@@ -39,7 +39,7 @@ export function NoProvidersAlert({
 								</Link>
 							</Button>
 						) : null}
-						{!features.multitenancy ? (
+						{!features.platform ? (
 							<Button asChild size="sm" className="w-full">
 								<Link
 									to="/ns/$namespace"
diff --git a/frontend/src/lib/features.ts b/frontend/src/lib/features.ts
index f1e0b4c4b7..5cc7b38136 100644
--- a/frontend/src/lib/features.ts
+++ b/frontend/src/lib/features.ts
@@ -15,15 +15,20 @@ function isEnabled(flag: string): boolean {
 }
 
 const auth = isEnabled("auth");
-const multitenancy = isEnabled("multitenancy") && auth;
+// `platform` gates whether the cloud platform stack is available (publishable
+// token endpoint, billing, projects, multi-tenancy). The legacy
+// `multitenancy` env string is accepted as an alias during the rollover.
+const platform = (isEnabled("platform") || isEnabled("multitenancy")) && auth;
+const acl = isEnabled("acl") || platform;
 
 export const features = {
 	auth,
+	acl,
 	billing: isEnabled("billing"),
 	captcha: isEnabled("captcha") && auth,
 	support: isEnabled("support"),
 	branding: isEnabled("branding"),
 	datacenter: isEnabled("datacenter"),
 	dangerZone: isEnabled("danger-zone"),
-	multitenancy,
+	platform,
 } as const;
diff --git a/frontend/src/queries/accessors.ts b/frontend/src/queries/accessors.ts
index 2fa9e461b4..26bd1a7418 100644
--- a/frontend/src/queries/accessors.ts
+++ b/frontend/src/queries/accessors.ts
@@ -9,19 +9,17 @@ import {
 import { cloudEnv } from "@/lib/env";
 import { features } from "@/lib/features";
 
-export function usePublishableToken() {
-	if (features.multitenancy) {
+export function usePublishableToken(): string | null {
+	if (features.platform) {
 		// biome-ignore lint/correctness/useHookAtTopLevel: guarded by build constant
 		return useSuspenseQuery(
 			// biome-ignore lint/correctness/useHookAtTopLevel: guarded by build constant
 			useCloudNamespaceDataProvider().publishableTokenQueryOptions() as UseSuspenseQueryOptions<string>,
 		).data;
 	}
-	// biome-ignore lint/correctness/useHookAtTopLevel: guarded by build constant
-	return useSuspenseQuery(
-		// biome-ignore lint/correctness/useHookAtTopLevel: guarded by build constant
-		useEngineNamespaceDataProvider().engineAdminTokenQueryOptions() as UseSuspenseQueryOptions<string>,
-	).data;
+	// Enterprise (ACL without platform API) has no publishable-token endpoint;
+	// users mint these out-of-band via RBAC config. Plain OSS has no auth.
+	return null;
 }
 
 export function useAdminToken() {
@@ -31,7 +29,7 @@ export function useAdminToken() {
 }
 
 export const useEndpoint = () => {
-	if (features.multitenancy) {
+	if (features.platform) {
 		return cloudEnv().VITE_APP_API_URL;
 	}
 	return getConfig().apiUrl;
diff --git a/frontend/src/routes/__root.tsx b/frontend/src/routes/__root.tsx
index e74fd5a014..c0bfbb6004 100644
--- a/frontend/src/routes/__root.tsx
+++ b/frontend/src/routes/__root.tsx
@@ -64,6 +64,6 @@ interface RootRouteContext {
 }
 
 export const Route = createRootRouteWithContext<RootRouteContext>()({
-	component: features.auth && features.multitenancy ? CloudRoute : RootRoute,
+	component: features.auth && features.platform ? CloudRoute : RootRoute,
 	pendingComponent: FullscreenLoading,
 });
diff --git a/frontend/src/routes/_context.tsx b/frontend/src/routes/_context.tsx
index bca04748fc..6268a164d0 100644
--- a/frontend/src/routes/_context.tsx
+++ b/frontend/src/routes/_context.tsx
@@ -43,7 +43,7 @@ export const Route = createFileRoute("/_context")({
 	component: RouteComponent,
 	validateSearch: zodValidator(searchSchema),
 	context: ({ context }) => {
-		if (features.multitenancy) {
+		if (features.platform) {
 			return {
 				dataProvider: context.getOrCreateCloudContext(),
 				__type: "cloud" as const,
@@ -57,7 +57,7 @@ export const Route = createFileRoute("/_context")({
 		};
 	},
 	beforeLoad: async (route) => {
-		if (features.multitenancy) {
+		if (features.platform) {
 			const justVerifiedEmail =
 				(route.location.search as { emailVerified?: string })
 					?.emailVerified === "1";
@@ -107,8 +107,8 @@ function RouteComponent() {
 			<Outlet />
 			<ModalRenderer />
 			<Modals />
-			{!features.multitenancy && <EngineModals />}
-			{features.multitenancy && <CloudModals />}
+			{!features.platform && <EngineModals />}
+			{features.platform && <CloudModals />}
 		</>
 	);
 }
diff --git a/frontend/src/routes/_context/index.tsx b/frontend/src/routes/_context/index.tsx
index 41a62449fc..9771bc0022 100644
--- a/frontend/src/routes/_context/index.tsx
+++ b/frontend/src/routes/_context/index.tsx
@@ -6,9 +6,9 @@ import { redirectToOrganization } from "@/lib/auth";
 import { features } from "@/lib/features";
 
 export const Route = createFileRoute("/_context/")({
-	component: () => (features.multitenancy ? <CloudRoute /> : <EngineRoute />),
+	component: () => (features.platform ? <CloudRoute /> : <EngineRoute />),
 	beforeLoad: async ({ context, search }) => {
-		if (features.multitenancy) {
+		if (features.platform) {
 			if (!(await redirectToOrganization(search))) {
 				throw redirect({ to: "/login", search: true });
 			}
diff --git a/frontend/src/routes/_context/orgs.$organization/projects.$project/index.tsx b/frontend/src/routes/_context/orgs.$organization/projects.$project/index.tsx
index ea1b9bfb93..208796730a 100644
--- a/frontend/src/routes/_context/orgs.$organization/projects.$project/index.tsx
+++ b/frontend/src/routes/_context/orgs.$organization/projects.$project/index.tsx
@@ -8,7 +8,7 @@ export const Route = createFileRoute(
 	"/_context/orgs/$organization/projects/$project/",
 )({
 	beforeLoad: async ({ context, params }) => {
-		if (!features.multitenancy) {
+		if (!features.platform) {
 			throw notFound();
 		}
 
diff --git a/frontend/src/routes/_context/orgs.$organization/projects.$project/ns.$namespace/settings.tsx b/frontend/src/routes/_context/orgs.$organization/projects.$project/ns.$namespace/settings.tsx
index 4dd94760f3..3edcffef4f 100644
--- a/frontend/src/routes/_context/orgs.$organization/projects.$project/ns.$namespace/settings.tsx
+++ b/frontend/src/routes/_context/orgs.$organization/projects.$project/ns.$namespace/settings.tsx
@@ -43,7 +43,7 @@ export const Route = createFileRoute(
 
 	pendingComponent: DataLoadingPlaceholder,
 	beforeLoad: async () => {
-		if (!features.multitenancy) {
+		if (!features.platform) {
 			throw notFound();
 		}
 	},
diff --git a/frontend/src/routes/_context/orgs.$organization/projects.$project/ns.$namespace/tokens.tsx b/frontend/src/routes/_context/orgs.$organization/projects.$project/ns.$namespace/tokens.tsx
index 4693643701..af63002cbf 100644
--- a/frontend/src/routes/_context/orgs.$organization/projects.$project/ns.$namespace/tokens.tsx
+++ b/frontend/src/routes/_context/orgs.$organization/projects.$project/ns.$namespace/tokens.tsx
@@ -291,7 +291,7 @@ function RunnersModeInfo() {
 		() => regions[0]?.name,
 	);
 
-	const endpoint = features.multitenancy
+	const endpoint = features.platform
 		? regions.find((r) => r.name === selectedDatacenter)?.url || cloudEnv().VITE_APP_API_URL
 		: getConfig().apiUrl;
 
diff --git a/frontend/src/routes/_context/orgs.$organization/projects.$project/settings.tsx b/frontend/src/routes/_context/orgs.$organization/projects.$project/settings.tsx
index cb63a3faf2..c60f49e96f 100644
--- a/frontend/src/routes/_context/orgs.$organization/projects.$project/settings.tsx
+++ b/frontend/src/routes/_context/orgs.$organization/projects.$project/settings.tsx
@@ -13,7 +13,7 @@ export const Route = createFileRoute(
 	"/_context/orgs/$organization/projects/$project/settings",
 )({
 	beforeLoad: () => {
-		if(!features.multitenancy) {
+		if(!features.platform) {
 			throw notFound();
 		}