Entitlements Over Feature Flags: A Better Way to Gate SaaS Features

The Feature Flag Trap

Feature flags are great for gradual rollouts. But somewhere, someone decided they should also handle plan-based access control.

"Just check if the user has the 'pro_features' flag!"

This works until it doesn't.

State explosion: Every plan needs its own set of flags. Pro has 12 flags. Enterprise has 18. Now maintain that.

No connection to billing: Flags don't know about subscriptions. User cancels? Someone has to flip 18 flags.

Frontend/backend split: You're checking flags in your UI AND your API. Hopefully they match.

No audit trail: Who enabled this flag? When? Why?

Entitlements are access rules tied directly to subscription plans.

When you define a plan, you define what it includes:

feature:advanced_analytics

limit:api_calls:10000

access:priority_support

When a customer subscribes, they get those entitlements. Automatically.

Single source of truth: Entitlements come from the subscription, period.

Real-time sync: Cancel a subscription? Entitlements update instantly.

Simple checks: One API call tells you if a customer can access a feature.

GET /api/entitlements/check?customer=123&feature=advanced_analytics

{ "entitled": true, "source": "plan:pro" }

**Feature gating**: Does this customer have access to X?

**Usage limits**: Has this customer exceeded their API quota?

**Role-based access**: Is this user an admin on this plan?

**Upsell triggers**: Show upgrade prompts when limits are hit

Your app doesn't manage access control. Your billing system does. And it's always in sync.