diff --git a/src/Frontend/src/App.vue b/src/Frontend/src/App.vue
index 5f0f6d49a..ccaa60e86 100644
--- a/src/Frontend/src/App.vue
+++ b/src/Frontend/src/App.vue
@@ -8,21 +8,21 @@ import LicenseNotifications from "@/components/LicenseNotifications.vue";
 import BackendChecksNotifications from "@/components/BackendChecksNotifications.vue";
 import { storeToRefs } from "pinia";
 import { useAuthStore } from "@/stores/AuthStore";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
 
 const authStore = useAuthStore();
 const route = useRoute();
 const { isAuthenticated, authEnabled } = storeToRefs(authStore);
 
-// Load the user's effective permissions (my/permissions/all) once authenticated, so the
-// nav and other UI can gate on them. Fail-safe: a missing/old endpoint just leaves
-// permissions unloaded and the UI fails open.
-const { fetchDescriptor } = usePermissions();
+// Load the allowed-route manifest (my/routes) once authenticated, so the nav and other
+// UI can gate on it. Fail-safe: a missing/old endpoint just leaves the manifest unloaded
+// and the UI fails open.
+const { fetchManifest } = useAllowedRoutes();
 watch(
   [authEnabled, isAuthenticated],
   ([enabled, authenticated]) => {
     if (enabled && authenticated) {
-      fetchDescriptor();
+      fetchManifest();
     }
   },
   { immediate: true }
diff --git a/src/Frontend/src/components/PageHeader.vue b/src/Frontend/src/components/PageHeader.vue
index fdb03e618..f465a267c 100644
--- a/src/Frontend/src/components/PageHeader.vue
+++ b/src/Frontend/src/components/PageHeader.vue
@@ -15,7 +15,8 @@ import AuditMenuItem from "./audit/AuditMenuItem.vue";
 import monitoringClient from "@/components/monitoring/monitoringClient";
 import UserProfileMenuItem from "@/components/UserProfileMenuItem.vue";
 import { useAuthStore } from "@/stores/AuthStore";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 import { storeToRefs } from "pinia";
 
 const isMonitoringEnabled = monitoringClient.isMonitoringEnabled;
@@ -23,23 +24,23 @@ const isMonitoringEnabled = monitoringClient.isMonitoringEnabled;
 const authStore = useAuthStore();
 const { authEnabled, isAuthenticated } = storeToRefs(authStore);
 
-const { can, ready } = usePermissions();
+const { canCall, ready } = useAllowedRoutes();
 
-// Each item gates on the specific permission ServiceControl enforces for that area.
+// Each item gates on the specific route ServiceControl enforces for that area.
 // Gate-on-ready: render nothing until permissions are known, so items never appear and
-// then disappear. can() fails open, so auth-disabled / failed-load shows everything.
+// then disappear. canCall() fails open, so auth-disabled / failed-load shows everything.
 // prettier-ignore
 const menuItems = computed(() => {
   if (!ready.value) return [];
   return [
     DashboardMenuItem,
-    ...(can("error:heartbeats:view") ? [HeartbeatsMenuItem] : []),
-    ...(isMonitoringEnabled && can("monitoring:endpoint:view") ? [MonitoringMenuItem] : []),
-    ...(can("audit:message:view") ? [AuditMenuItem] : []),
-    ...(can("error:messages:view") ? [FailedMessagesMenuItem] : []),
-    ...(can("error:customchecks:view") ? [CustomChecksMenuItem] : []),
-    ...(can("error:eventlog:view") ? [EventsMenuItem] : []),
-    ...(can("error:throughput:view") ? [ThroughputMenuItem] : []),
+    ...(canCall(ApiRoutes.viewHeartbeats) ? [HeartbeatsMenuItem] : []),
+    ...(isMonitoringEnabled && canCall(ApiRoutes.viewMonitoredEndpoints) ? [MonitoringMenuItem] : []),
+    ...(canCall(ApiRoutes.viewAuditMessages) ? [AuditMenuItem] : []),
+    ...(canCall(ApiRoutes.viewFailedMessages) ? [FailedMessagesMenuItem] : []),
+    ...(canCall(ApiRoutes.viewCustomChecks) ? [CustomChecksMenuItem] : []),
+    ...(canCall(ApiRoutes.viewEventLog) ? [EventsMenuItem] : []),
+    ...(canCall(ApiRoutes.viewThroughput) ? [ThroughputMenuItem] : []),
     ConfigurationMenuItem,
     FeedbackButton,
   ];
diff --git a/src/Frontend/src/components/configuration/HealthCheckNotifications.vue b/src/Frontend/src/components/configuration/HealthCheckNotifications.vue
index 56b5274dc..a79564e7f 100644
--- a/src/Frontend/src/components/configuration/HealthCheckNotifications.vue
+++ b/src/Frontend/src/components/configuration/HealthCheckNotifications.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import { computed, onMounted, ref } from "vue";
+import { onMounted, ref } from "vue";
 import LicenseNotExpired from "../LicenseNotExpired.vue";
 import ServiceControlAvailable from "../ServiceControlAvailable.vue";
 import HealthCheckNotifications_EmailConfiguration from "./HealthCheckNotifications_ConfigureEmail.vue";
@@ -13,14 +13,10 @@ import PermissionGate from "@/components/PermissionGate.vue";
 import { faCheck, faEdit, faEnvelope, faExclamationTriangle } from "@fortawesome/free-solid-svg-icons";
 import { useHealthChecksStore } from "@/stores/HealthChecksStore";
 import { storeToRefs } from "pinia";
-import { usePermissions } from "@/composables/usePermissions";
 
 const healthChecksStore = useHealthChecksStore();
-const { emailNotifications } = storeToRefs(healthChecksStore);
+const { emailNotifications, canManageNotifications, canTestNotifications } = storeToRefs(healthChecksStore);
 
-const { can } = usePermissions();
-const canManageNotifications = computed(() => can("error:notifications:manage"));
-const canTestNotifications = computed(() => can("error:notifications:test"));
 const manageDeniedTooltip = "You don't have permission to manage notifications.";
 const testDeniedTooltip = "You don't have permission to send test notifications.";
 
diff --git a/src/Frontend/src/components/configuration/RetryRedirects.vue b/src/Frontend/src/components/configuration/RetryRedirects.vue
index 8b60cd5f2..b657f12fe 100644
--- a/src/Frontend/src/components/configuration/RetryRedirects.vue
+++ b/src/Frontend/src/components/configuration/RetryRedirects.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import { computed, onMounted, ref } from "vue";
+import { onMounted, ref } from "vue";
 import LicenseNotExpired from "../LicenseNotExpired.vue";
 import ServiceControlAvailable from "../ServiceControlAvailable.vue";
 import NoData from "../NoData.vue";
@@ -15,13 +15,11 @@ import PermissionGate from "@/components/PermissionGate.vue";
 import { faClock } from "@fortawesome/free-regular-svg-icons";
 import { useRedirectsStore } from "@/stores/RedirectsStore";
 import LoadingSpinner from "../LoadingSpinner.vue";
-import { usePermissions } from "@/composables/usePermissions";
+import { storeToRefs } from "pinia";
 
 const redirectsStore = useRedirectsStore();
-
-const { can } = usePermissions();
+const { canManageRedirects } = storeToRefs(redirectsStore);
 // Creating, modifying and ending redirects all manage redirects.
-const canManageRedirects = computed(() => can("error:redirects:manage"));
 const redirectsDeniedTooltip = "You don't have permission to manage redirects.";
 
 const loadingData = ref(true);
diff --git a/src/Frontend/src/components/configuration/UserPermissions.vue b/src/Frontend/src/components/configuration/UserPermissions.vue
index 6e2214f66..ae81d3739 100644
--- a/src/Frontend/src/components/configuration/UserPermissions.vue
+++ b/src/Frontend/src/components/configuration/UserPermissions.vue
@@ -1,208 +1,160 @@
+<script lang="ts">
+import { ApiRoutes } from "@/composables/apiRoutes";
+
+// Static capability groupings: each area lists the API routes the user may or may not be able to call.
+// Permissions are derived at render time from canCall — no permission strings are involved.
+// Defined at module scope (outside setup) so it is shared across component instances.
+export const groups = [
+  {
+    area: "Failed messages",
+    caps: [
+      { label: "View", ref: ApiRoutes.viewFailedMessages },
+      { label: "Retry", ref: ApiRoutes.retryMessage },
+      { label: "Edit", ref: ApiRoutes.editMessage },
+      { label: "Delete", ref: ApiRoutes.deleteMessage },
+      { label: "Restore", ref: ApiRoutes.restoreMessage },
+    ],
+  },
+  {
+    area: "Recoverability groups",
+    caps: [
+      { label: "Retry group", ref: ApiRoutes.retryGroup },
+      { label: "Delete group", ref: ApiRoutes.deleteGroup },
+      { label: "Restore group", ref: ApiRoutes.restoreGroup },
+    ],
+  },
+  {
+    area: "Audit",
+    caps: [{ label: "View", ref: ApiRoutes.viewAuditMessages }],
+  },
+  {
+    area: "Monitoring",
+    caps: [
+      { label: "View", ref: ApiRoutes.viewMonitoredEndpoints },
+      { label: "Remove endpoint", ref: ApiRoutes.deleteMonitoredEndpoint },
+    ],
+  },
+  {
+    area: "Custom checks",
+    caps: [
+      { label: "View", ref: ApiRoutes.viewCustomChecks },
+      { label: "Dismiss", ref: ApiRoutes.dismissCustomCheck },
+    ],
+  },
+  {
+    area: "Event log",
+    caps: [{ label: "View", ref: ApiRoutes.viewEventLog }],
+  },
+  {
+    area: "Configuration — License",
+    caps: [{ label: "View", ref: ApiRoutes.viewLicense }],
+  },
+  {
+    area: "Configuration — Connections",
+    caps: [{ label: "View", ref: ApiRoutes.viewConnections }],
+  },
+  {
+    area: "Configuration — Notifications",
+    caps: [
+      { label: "View", ref: ApiRoutes.viewNotifications },
+      { label: "Manage", ref: ApiRoutes.manageNotifications },
+      { label: "Test", ref: ApiRoutes.testNotifications },
+    ],
+  },
+  {
+    area: "Configuration — Redirects",
+    caps: [
+      { label: "View", ref: ApiRoutes.viewRedirects },
+      { label: "Manage", ref: ApiRoutes.manageRedirects },
+    ],
+  },
+  {
+    area: "Configuration — Endpoints",
+    caps: [
+      { label: "View", ref: ApiRoutes.viewEndpoints },
+      { label: "View heartbeats", ref: ApiRoutes.viewHeartbeats },
+      { label: "Remove instance", ref: ApiRoutes.deleteEndpointInstance },
+    ],
+  },
+  {
+    area: "Configuration — Throughput",
+    caps: [
+      { label: "View", ref: ApiRoutes.viewThroughput },
+      { label: "Manage", ref: ApiRoutes.manageThroughput },
+    ],
+  },
+];
+</script>
+
 <script setup lang="ts">
-import { computed, onMounted } from "vue";
-import { storeToRefs } from "pinia";
-import { faCheck } from "@fortawesome/free-solid-svg-icons";
+import { computed } from "vue";
+import { faCheck, faXmark } from "@fortawesome/free-solid-svg-icons";
 import FAIcon from "@/components/FAIcon.vue";
-import { usePermissionsStore } from "@/stores/PermissionsStore";
-import { usePermissions } from "@/composables/usePermissions";
-
-const store = usePermissionsStore();
-const { user, permissions, loadAttempted } = storeToRefs(store);
-const { fetchDescriptor } = usePermissions();
-
-// Permission strings are "instance:resource:action" (e.g. error:messages:retry).
-// We render one table per instance (Error/Audit/Monitoring), feature per row, action per
-// column, with a checkmark where the action is granted. All tables share the SAME columns
-// (ordered so the most widely shared actions come first: View, Delete, then the rest), so
-// the columns line up across instances. A column only shows its header label and checks for
-// instances that actually use it; otherwise it stays blank, keeping every table the same
-// width. Features and instances with no granted permission are omitted.
-const INSTANCE_ORDER = ["error", "audit", "monitoring"];
-const INSTANCE_LABELS: Record<string, string> = { error: "Error", audit: "Audit", monitoring: "Monitoring" };
-// Only the multi-word resources need a label; the rest are capitalized.
-const RESOURCE_LABELS: Record<string, string> = {
-  customchecks: "Custom checks",
-  recoverabilitygroups: "Recoverability groups",
-  eventlog: "Event log",
-};
-const ACTION_LABELS: Record<string, string> = {};
-const ACTION_ORDER = ["view", "retry", "edit", "archive", "unarchive", "manage", "test", "delete"];
-
-function label(code: string, overrides: Record<string, string>): string {
-  return overrides[code] ?? code.charAt(0).toUpperCase() + code.slice(1);
-}
-
-function rank(code: string, order: string[]): number {
-  const index = order.indexOf(code);
-  return index === -1 ? order.length : index;
-}
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
 
-interface Column {
-  action: string;
-  label: string;
-}
-interface FeatureRow {
-  resource: string;
-  label: string;
-  actions: Set<string>;
-  permissions: string[];
-}
-interface InstanceGroup {
-  instance: string;
-  label: string;
-  used: Set<string>;
-  features: FeatureRow[];
-}
-interface PermissionView {
-  columns: Column[];
-  instances: InstanceGroup[];
-}
+const { canCall } = useAllowedRoutes();
 
-const view = computed<PermissionView>(() => {
-  const byInstance = new Map<string, Map<string, Set<string>>>();
-  const actionInstances = new Map<string, Set<string>>();
-
-  for (const permission of permissions.value) {
-    const [instance, resource, action] = permission.split(":");
-    if (!instance || !resource || !action) continue;
-
-    let features = byInstance.get(instance);
-    if (!features) {
-      features = new Map();
-      byInstance.set(instance, features);
-    }
-    let actions = features.get(resource);
-    if (!actions) {
-      actions = new Set();
-      features.set(resource, actions);
-    }
-    actions.add(action);
-
-    let instancesWithAction = actionInstances.get(action);
-    if (!instancesWithAction) {
-      instancesWithAction = new Set();
-      actionInstances.set(action, instancesWithAction);
-    }
-    instancesWithAction.add(instance);
-  }
-
-  // Shared columns, most widely shared first, so they align across the instance tables.
-  const columns = [...actionInstances.entries()]
-    .sort(([actionA, instancesA], [actionB, instancesB]) => instancesB.size - instancesA.size || rank(actionA, ACTION_ORDER) - rank(actionB, ACTION_ORDER) || actionA.localeCompare(actionB))
-    .map(([action]) => ({ action, label: label(action, ACTION_LABELS) }));
-
-  const instances = [...byInstance.entries()]
-    .sort(([a], [b]) => rank(a, INSTANCE_ORDER) - rank(b, INSTANCE_ORDER) || a.localeCompare(b))
-    .map(([instance, features]) => {
-      const used = new Set<string>();
-      for (const featureActions of features.values()) {
-        for (const action of featureActions) used.add(action);
-      }
-      const featureRows = [...features.entries()]
-        .map(([resource, featureActions]) => ({
-          resource,
-          label: label(resource, RESOURCE_LABELS),
-          actions: featureActions,
-          // The full permission strings the user holds for this feature, shown on hover.
-          permissions: [...featureActions].sort((a, b) => rank(a, ACTION_ORDER) - rank(b, ACTION_ORDER) || a.localeCompare(b)).map((action) => `${instance}:${resource}:${action}`),
-        }))
-        .sort((a, b) => a.label.localeCompare(b.label));
-      return { instance, label: label(instance, INSTANCE_LABELS), used, features: featureRows };
-    });
-
-  return { columns, instances };
-});
-
-onMounted(() => {
-  // Normally already loaded at app start; ensures the page works on direct navigation.
-  fetchDescriptor();
-});
+const rows = computed(() =>
+  groups.map((g) => ({
+    area: g.area,
+    caps: g.caps.map((c) => ({ label: c.label, granted: canCall(c.ref) })),
+  }))
+);
 </script>
 
 <template>
   <section name="user-permissions">
     <div class="box">
       <h3>Your permissions</h3>
-      <p class="user-label">{{ user || "Unknown user" }}</p>
-
-      <template v-if="view.instances.length">
-        <section v-for="group in view.instances" :key="group.instance" class="instance">
-          <h4 class="instance-title">{{ group.label }}</h4>
-          <div class="table-scroll">
-            <table class="permissions-table">
-              <colgroup>
-                <col class="feature-col-width" />
-                <col v-for="column in view.columns" :key="column.action" class="action-col-width" />
-              </colgroup>
-              <thead>
-                <tr>
-                  <th scope="col" class="feature-col">Feature</th>
-                  <th scope="col" v-for="column in view.columns" :key="column.action">
-                    <span v-if="group.used.has(column.action)">{{ column.label }}</span>
-                  </th>
-                </tr>
-              </thead>
-              <tbody>
-                <tr v-for="feature in group.features" :key="feature.resource">
-                  <td class="feature-col" v-tippy="{ content: feature.permissions.join('<br>'), allowHTML: true }">{{ feature.label }}</td>
-                  <td v-for="column in view.columns" :key="column.action">
-                    <FAIcon v-if="feature.actions.has(column.action)" :icon="faCheck" class="check" :aria-label="`${feature.label} ${column.label} allowed`" />
-                  </td>
-                </tr>
-              </tbody>
-            </table>
-          </div>
-        </section>
-      </template>
-
-      <p v-else-if="loadAttempted" class="empty">No permissions are granted to this user.</p>
+
+      <table class="permissions-table">
+        <thead>
+          <tr>
+            <th scope="col" class="area-col">Area</th>
+            <th scope="col" class="cap-col">Capability</th>
+            <th scope="col" class="status-col">Allowed</th>
+          </tr>
+        </thead>
+        <tbody>
+          <template v-for="row in rows" :key="row.area">
+            <tr v-for="(cap, idx) in row.caps" :key="cap.label" class="cap-row">
+              <td v-if="idx === 0" :rowspan="row.caps.length" class="area-col area-cell">{{ row.area }}</td>
+              <td class="cap-col">{{ cap.label }}</td>
+              <td class="status-col">
+                <FAIcon v-if="cap.granted" :icon="faCheck" class="check" aria-label="Allowed" />
+                <FAIcon v-else :icon="faXmark" class="deny" aria-label="Not allowed" />
+              </td>
+            </tr>
+          </template>
+        </tbody>
+      </table>
     </div>
   </section>
 </template>
 
 <style scoped>
-.user-label {
-  color: #6c757d;
-  margin-bottom: 28px;
-}
-
-.instance {
-  margin-bottom: 32px;
-}
-.instance:last-child {
-  margin-bottom: 0;
-}
-
-.instance-title {
-  font-size: 16px;
-  font-weight: 600;
-  color: #2a2a2a;
-  margin: 0 0 8px;
-}
-
-.table-scroll {
-  overflow-x: auto;
-}
-
 .permissions-table {
   border-collapse: collapse;
   table-layout: fixed;
+  width: auto;
+}
+
+.area-col {
+  width: 260px;
 }
 
-.feature-col-width {
-  width: 220px;
+.cap-col {
+  width: 200px;
 }
 
-/* Fixed, compact action columns so the table shrinks to fit and stays left-aligned;
-   a view-only user sees just "Feature | View" together instead of a stretched column. */
-.action-col-width {
+.status-col {
   width: 90px;
+  text-align: center;
 }
 
 .permissions-table th,
 .permissions-table td {
   padding: 8px 12px;
-  text-align: center;
   font-size: 14px;
   border-bottom: 1px solid #f0f0f0;
 }
@@ -212,23 +164,25 @@ onMounted(() => {
   color: #6c757d;
   border-bottom: 2px solid #e9ecef;
   white-space: nowrap;
+  text-align: left;
 }
 
-/* More specific than the generic ".permissions-table td { text-align: center }" so the
-   feature names actually left-align. */
-.permissions-table th.feature-col,
-.permissions-table td.feature-col {
-  text-align: left;
+.permissions-table thead th.status-col {
+  text-align: center;
 }
 
-td.feature-col {
+.area-cell {
   font-weight: 600;
   color: #2a2a2a;
-  /* Hover shows the exact permission strings held for this feature. */
-  cursor: help;
+  vertical-align: top;
+  padding-top: 10px;
 }
 
 .check {
   color: #28a745;
 }
+
+.deny {
+  color: #dc3545;
+}
 </style>
diff --git a/src/Frontend/src/components/customchecks/CustomCheckView.vue b/src/Frontend/src/components/customchecks/CustomCheckView.vue
index 14a3ac0b8..038576823 100644
--- a/src/Frontend/src/components/customchecks/CustomCheckView.vue
+++ b/src/Frontend/src/components/customchecks/CustomCheckView.vue
@@ -8,15 +8,16 @@ import { faCheck, faList, faServer } from "@fortawesome/free-solid-svg-icons";
 import { faClock } from "@fortawesome/free-regular-svg-icons";
 import { hexToCSSFilter } from "hex-to-css-filter";
 import useCustomChecksStoreAutoRefresh from "@/composables/useCustomChecksStoreAutoRefresh";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
-defineProps<{ customCheck: CustomCheck }>();
+const props = defineProps<{ customCheck: CustomCheck }>();
 
 const { store } = useCustomChecksStoreAutoRefresh();
 const endpointColor = hexToCSSFilter("#929E9E").filter;
 
-const { can } = usePermissions();
-const canDismiss = computed(() => can("error:customchecks:delete"));
+const { canCall } = useAllowedRoutes();
+const canDismiss = computed(() => canCall(ApiRoutes.dismissCustomCheck, props.customCheck));
 const dismissDeniedTooltip = "You don't have permission to dismiss custom checks.";
 </script>
 
diff --git a/src/Frontend/src/components/failedmessages/DeletedMessageGroups.vue b/src/Frontend/src/components/failedmessages/DeletedMessageGroups.vue
index d78da3709..4d0a31355 100644
--- a/src/Frontend/src/components/failedmessages/DeletedMessageGroups.vue
+++ b/src/Frontend/src/components/failedmessages/DeletedMessageGroups.vue
@@ -12,7 +12,8 @@ import { TYPE } from "vue-toastification";
 import MetadataItem from "@/components/MetadataItem.vue";
 import ActionButton from "@/components/ActionButton.vue";
 import PermissionGate from "@/components/PermissionGate.vue";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 import { faArrowRotateRight, faEnvelope } from "@fortawesome/free-solid-svg-icons";
 import { faClock } from "@fortawesome/free-regular-svg-icons";
 import { useDeletedMessageGroupsStore, statusesForRestoreOperation, type ExtendedFailureGroupView, type Status } from "@/stores/DeletedMessageGroupsStore";
@@ -28,10 +29,10 @@ const { store } = autoRefresh();
 const { archiveGroups, classifiers, selectedClassifier } = storeToRefs(store);
 const router = useRouter();
 
-const { can } = usePermissions();
+const { canCall } = useAllowedRoutes();
 // Restoring a deleted group is an unarchive; keep the button visible but disabled with a
 // tooltip when the user lacks the permission, instead of silently failing server-side.
-const canRestoreGroups = computed(() => can("error:recoverabilitygroups:unarchive"));
+const canRestoreGroups = computed(() => canCall(ApiRoutes.restoreGroup));
 const restoreDeniedTooltip = "You don't have permission to restore message groups.";
 
 const showRestoreGroupModal = ref(false);
diff --git a/src/Frontend/src/components/failedmessages/DeletedMessages.vue b/src/Frontend/src/components/failedmessages/DeletedMessages.vue
index 59060ccdd..11bc5ae1b 100644
--- a/src/Frontend/src/components/failedmessages/DeletedMessages.vue
+++ b/src/Frontend/src/components/failedmessages/DeletedMessages.vue
@@ -11,7 +11,8 @@ import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { TYPE } from "vue-toastification";
 import FAIcon from "@/components/FAIcon.vue";
 import PermissionGate from "@/components/PermissionGate.vue";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 import { faArrowRotateRight } from "@fortawesome/free-solid-svg-icons";
 import { storeToRefs } from "pinia";
 import { useStoreAutoRefresh } from "@/composables/useAutoRefresh";
@@ -29,10 +30,10 @@ const { messages, groupId, groupName, totalCount, pageNumber, selectedPeriod } =
 const showConfirmRestore = ref(false);
 const messageList = ref<IMessageList | undefined>();
 
-const { can } = usePermissions();
+const { canCall } = useAllowedRoutes();
 // Restoring messages is an unarchive; keep the button visible but disabled with a tooltip
 // when the user lacks the permission, instead of silently failing server-side.
-const canRestoreMessages = computed(() => can("error:messages:unarchive"));
+const canRestoreMessages = computed(() => canCall(ApiRoutes.restoreMessage));
 const restoreDeniedTooltip = "You don't have permission to restore messages.";
 
 function numberSelected() {
diff --git a/src/Frontend/src/components/failedmessages/FailedMessages.vue b/src/Frontend/src/components/failedmessages/FailedMessages.vue
index 1a38bf666..1277f865b 100644
--- a/src/Frontend/src/components/failedmessages/FailedMessages.vue
+++ b/src/Frontend/src/components/failedmessages/FailedMessages.vue
@@ -17,7 +17,8 @@ import type GroupOperation from "@/resources/GroupOperation";
 import { faArrowDownAZ, faArrowDownZA, faArrowDownShortWide, faArrowDownWideShort, faArrowRotateRight, faTrash, faDownload } from "@fortawesome/free-solid-svg-icons";
 import ActionButton from "@/components/ActionButton.vue";
 import PermissionGate from "@/components/PermissionGate.vue";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 import { useMessageStore } from "@/stores/MessageStore";
 import { useRecoverabilityStore } from "@/stores/RecoverabilityStore";
 import { useStoreAutoRefresh } from "@/composables/useAutoRefresh";
@@ -34,13 +35,13 @@ const { autoRefresh, isRefreshing, updateInterval } = useStoreAutoRefresh("recov
 const { store } = autoRefresh();
 const { messages, groupId, groupName, totalCount, pageNumber } = storeToRefs(store);
 
-const { can } = usePermissions();
+const { canCall } = useAllowedRoutes();
 // Keep the toolbar actions visible but disabled (with a tooltip) when the user lacks the
 // permission, so the capability stays discoverable and clicks don't silently fail server-side.
-const canRetryMessages = computed(() => can("error:messages:retry"));
-const canDeleteMessages = computed(() => can("error:messages:archive"));
-const canRetryGroup = computed(() => can("error:recoverabilitygroups:retry"));
-const canDeleteGroup = computed(() => can("error:recoverabilitygroups:archive"));
+const canRetryMessages = computed(() => canCall(ApiRoutes.retryMessage));
+const canDeleteMessages = computed(() => canCall(ApiRoutes.deleteMessage));
+const canRetryGroup = computed(() => canCall(ApiRoutes.retryGroup));
+const canDeleteGroup = computed(() => canCall(ApiRoutes.deleteGroup));
 const retryDeniedTooltip = "You don't have permission to retry messages.";
 const deleteDeniedTooltip = "You don't have permission to delete messages.";
 const retryAllDeniedTooltip = "You don't have permission to retry message groups.";
diff --git a/src/Frontend/src/components/failedmessages/MessageGroupList.vue b/src/Frontend/src/components/failedmessages/MessageGroupList.vue
index fcbc60572..977bbaf75 100644
--- a/src/Frontend/src/components/failedmessages/MessageGroupList.vue
+++ b/src/Frontend/src/components/failedmessages/MessageGroupList.vue
@@ -16,13 +16,14 @@ import { faClock } from "@fortawesome/free-regular-svg-icons";
 import ProgressMessage from "./ProgressMessage.vue";
 import ActionButton from "@/components/ActionButton.vue";
 import PermissionGate from "@/components/PermissionGate.vue";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
-const { can } = usePermissions();
+const { canCall } = useAllowedRoutes();
 // Group-level actions are gated on the recoverabilitygroups permissions. When the user
 // lacks them the buttons stay visible but disabled, with a tooltip explaining why.
-const canRetryGroups = computed(() => can("error:recoverabilitygroups:retry"));
-const canDeleteGroups = computed(() => can("error:recoverabilitygroups:archive"));
+const canRetryGroups = computed(() => canCall(ApiRoutes.retryGroup));
+const canDeleteGroups = computed(() => canCall(ApiRoutes.deleteGroup));
 const retryDeniedTooltip = "You don't have permission to request a retry for message groups.";
 const deleteDeniedTooltip = "You don't have permission to delete message groups.";
 
diff --git a/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts b/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts
index 3f2741f30..55f02bcfa 100644
--- a/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts
+++ b/src/Frontend/src/components/failedmessages/messageGroupButtonPermissions.spec.ts
@@ -5,12 +5,15 @@ import { defineComponent, h, nextTick, ref } from "vue";
 import { createRouter, createMemoryHistory } from "vue-router";
 import type GroupOperation from "@/resources/GroupOperation";
 import MessageGroupList, { type IMessageGroupList } from "@/components/failedmessages/MessageGroupList.vue";
+import type { ManifestEntry } from "@/stores/AllowedRoutesStore";
+import { ApiRoutes } from "@/composables/apiRoutes";
+import { normalizeRouteKey } from "@/composables/routeMatching";
 
-// The group-level Retry/Delete actions are gated on the recoverabilitygroups permissions.
+// The group-level Retry/Delete actions are gated on the recoverabilitygroups allowed routes.
 // Unlike the per-message buttons (which hide), these stay VISIBLE but DISABLED when the
-// permission is missing, with a tooltip explaining why, so it's clear the action exists.
-const RETRY_PERMISSION = "error:recoverabilitygroups:retry";
-const DELETE_PERMISSION = "error:recoverabilitygroups:archive";
+// route is missing, with a tooltip explaining why, so it's clear the action exists.
+const RETRY_ROUTE_KEY = normalizeRouteKey(ApiRoutes.retryGroup.method, ApiRoutes.retryGroup.path);
+const DELETE_ROUTE_KEY = normalizeRouteKey(ApiRoutes.deleteGroup.method, ApiRoutes.deleteGroup.path);
 
 const group: GroupOperation = {
   id: "group-1",
@@ -30,7 +33,11 @@ vi.mock("@/components/failedmessages/messageGroupClient", () => ({
   }),
 }));
 
-async function renderGroupList(permissions: string[]) {
+function makeRoutes(keys: string[]): Map<string, ManifestEntry> {
+  return new Map(keys.map((k) => [k, { method: "", url_template: "" }]));
+}
+
+async function renderGroupList(allowedRouteKeys: string[]) {
   const listRef = ref<IMessageGroupList>();
 
   const Harness = defineComponent({
@@ -49,7 +56,7 @@ async function renderGroupList(permissions: string[]) {
           stubActions: true,
           initialState: {
             auth: { authEnabled: true, isAuthenticated: true },
-            PermissionsStore: { permissions: new Set(permissions), loaded: true, loadAttempted: true },
+            AllowedRoutesStore: { routes: makeRoutes(allowedRouteKeys), loaded: true, loadAttempted: true },
           },
         }),
       ],
@@ -72,25 +79,25 @@ describe("failed-message group action button permissions", () => {
     document.body.innerHTML = '<div id="modalDisplay"></div>';
   });
 
-  test("Request retry is enabled when its permission is granted", async () => {
-    await renderGroupList([RETRY_PERMISSION, DELETE_PERMISSION]);
+  test("Request retry is enabled when its route is allowed", async () => {
+    await renderGroupList([RETRY_ROUTE_KEY, DELETE_ROUTE_KEY]);
     expect(button(/Request retry/i)?.disabled).toBe(false);
   });
 
-  test("Request retry stays visible but disabled when its permission is denied", async () => {
-    await renderGroupList([DELETE_PERMISSION]);
+  test("Request retry stays visible but disabled when its route is not allowed", async () => {
+    await renderGroupList([DELETE_ROUTE_KEY]);
     const retry = button(/Request retry/i);
     expect(retry).not.toBeNull();
     expect(retry?.disabled).toBe(true);
   });
 
-  test("Delete group is enabled when its permission is granted", async () => {
-    await renderGroupList([RETRY_PERMISSION, DELETE_PERMISSION]);
+  test("Delete group is enabled when its route is allowed", async () => {
+    await renderGroupList([RETRY_ROUTE_KEY, DELETE_ROUTE_KEY]);
     expect(button(/Delete group/i)?.disabled).toBe(false);
   });
 
-  test("Delete group stays visible but disabled when its permission is denied", async () => {
-    await renderGroupList([RETRY_PERMISSION]);
+  test("Delete group stays visible but disabled when its route is not allowed", async () => {
+    await renderGroupList([RETRY_ROUTE_KEY]);
     const del = button(/Delete group/i);
     expect(del).not.toBeNull();
     expect(del?.disabled).toBe(true);
diff --git a/src/Frontend/src/components/heartbeats/EndpointInstances.vue b/src/Frontend/src/components/heartbeats/EndpointInstances.vue
index 727efb004..421b64af1 100644
--- a/src/Frontend/src/components/heartbeats/EndpointInstances.vue
+++ b/src/Frontend/src/components/heartbeats/EndpointInstances.vue
@@ -22,7 +22,6 @@ import FAIcon from "@/components/FAIcon.vue";
 import PermissionGate from "@/components/PermissionGate.vue";
 import useHeartbeatInstancesStoreAutoRefresh from "@/composables/useHeartbeatInstancesStoreAutoRefresh";
 import { useEndpointSettingsStore } from "@/stores/EndpointSettingsStore";
-import { usePermissions } from "@/composables/usePermissions";
 
 enum Operation {
   Mute = "mute",
@@ -32,12 +31,10 @@ enum Operation {
 const route = useRoute();
 const router = useRouter();
 
-const { can } = usePermissions();
-const canDeleteEndpoints = computed(() => can("error:endpoints:delete"));
 const deleteDeniedTooltip = "You don't have permission to delete endpoints.";
 const endpointName = route.params.endpointName.toString();
 const { store } = useHeartbeatInstancesStoreAutoRefresh();
-const { filteredInstances, sortedInstances, instanceFilterString, sortByInstances } = storeToRefs(store);
+const { filteredInstances, sortedInstances, instanceFilterString, sortByInstances, canDeleteEndpointInstance } = storeToRefs(store);
 const endpointSettingsStore = useEndpointSettingsStore();
 const endpointSettings = ref<EndpointSettings[]>([endpointSettingsStore.defaultEndpointSettingsValue]);
 
@@ -176,8 +173,8 @@ async function toggleAlerts(instance: EndpointsView) {
       <no-data v-if="filteredValidInstances.length === 0" message="No endpoint instances found. For untracked endpoints, disconnected instances are automatically pruned.">
         <div class="delete-all">
           <span>You may</span>
-          <PermissionGate :allowed="canDeleteEndpoints" :reason="deleteDeniedTooltip">
-            <button type="button" @click="deleteAllInstances()" class="btn btn-danger btn-sm" :disabled="!canDeleteEndpoints"><FAIcon :icon="faTrash" class="icon text-white" /> Delete</button>
+          <PermissionGate :allowed="canDeleteEndpointInstance" :reason="deleteDeniedTooltip">
+            <button type="button" @click="deleteAllInstances()" class="btn btn-danger btn-sm" :disabled="!canDeleteEndpointInstance"><FAIcon :icon="faTrash" class="icon text-white" /> Delete</button>
           </PermissionGate>
           <span>this endpoint</span>
         </div>
@@ -203,8 +200,8 @@ async function toggleAlerts(instance: EndpointsView) {
                 </div>
               </div>
               <div role="cell" aria-label="actions" class="col-1 actions">
-                <PermissionGate v-if="instance.heartbeat_information?.reported_status !== EndpointStatus.Alive" :allowed="canDeleteEndpoints" :reason="deleteDeniedTooltip">
-                  <button type="button" @click="deleteInstance(instance)" class="btn btn-danger btn-sm" :disabled="!canDeleteEndpoints"><FAIcon :icon="faTrash" class="icon text-white" /> Delete</button>
+                <PermissionGate v-if="instance.heartbeat_information?.reported_status !== EndpointStatus.Alive" :allowed="canDeleteEndpointInstance" :reason="deleteDeniedTooltip">
+                  <button type="button" @click="deleteInstance(instance)" class="btn btn-danger btn-sm" :disabled="!canDeleteEndpointInstance"><FAIcon :icon="faTrash" class="icon text-white" /> Delete</button>
                 </PermissionGate>
               </div>
             </div>
diff --git a/src/Frontend/src/components/messages/DeleteMessageButton.vue b/src/Frontend/src/components/messages/DeleteMessageButton.vue
index 287985b0a..1dc9830c1 100644
--- a/src/Frontend/src/components/messages/DeleteMessageButton.vue
+++ b/src/Frontend/src/components/messages/DeleteMessageButton.vue
@@ -9,16 +9,14 @@ import { MessageStatus } from "@/resources/Message";
 import { storeToRefs } from "pinia";
 import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { faTrash } from "@fortawesome/free-solid-svg-icons";
-import { usePermissions } from "@/composables/usePermissions";
 
 const store = useMessageStore();
-const { state } = storeToRefs(store);
-const { can } = usePermissions();
+const { state, canDelete } = storeToRefs(store);
 const isConfirmDialogVisible = ref(false);
 
 const failureStatus = computed(() => state.value.data.failure_status);
 const isDisabled = computed(() => failureStatus.value.retried || failureStatus.value.resolved);
-const isVisible = computed(() => can("error:messages:archive") && !failureStatus.value.archived && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
+const isVisible = computed(() => canDelete.value && !failureStatus.value.archived && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
 
 const handleConfirm = async () => {
   isConfirmDialogVisible.value = false;
diff --git a/src/Frontend/src/components/messages/EditAndRetryButton.vue b/src/Frontend/src/components/messages/EditAndRetryButton.vue
index add6c8ddc..54ac1c653 100644
--- a/src/Frontend/src/components/messages/EditAndRetryButton.vue
+++ b/src/Frontend/src/components/messages/EditAndRetryButton.vue
@@ -10,19 +10,16 @@ import { MessageStatus } from "@/resources/Message";
 import { storeToRefs } from "pinia";
 import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { faPencil } from "@fortawesome/free-solid-svg-icons";
-import { usePermissions } from "@/composables/usePermissions";
 import PermissionGate from "@/components/PermissionGate.vue";
 
 const store = useMessageStore();
-const { state, edit_and_retry_config, editRetryResponse } = storeToRefs(store);
-const { can } = usePermissions();
+const { state, edit_and_retry_config, editRetryResponse, canEdit } = storeToRefs(store);
 const isConfirmDialogVisible = ref(false);
 const isEditIgnoredDialogVisible = ref(false);
 
 // Edit & retry is enabled by a ServiceControl setting (edit_and_retry_config). When it is on,
 // the button is shown to everyone but disabled (with a tooltip) for users without the edit
 // permission, rather than hidden.
-const canEdit = computed(() => can("error:messages:edit"));
 const editDeniedTooltip = "You don't have permission to edit and retry messages.";
 
 const failureStatus = computed(() => state.value.data.failure_status);
diff --git a/src/Frontend/src/components/messages/RestoreMessageButton.vue b/src/Frontend/src/components/messages/RestoreMessageButton.vue
index 36969f724..407098b86 100644
--- a/src/Frontend/src/components/messages/RestoreMessageButton.vue
+++ b/src/Frontend/src/components/messages/RestoreMessageButton.vue
@@ -8,14 +8,12 @@ import { TYPE } from "vue-toastification";
 import { storeToRefs } from "pinia";
 import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { faUndo } from "@fortawesome/free-solid-svg-icons";
-import { usePermissions } from "@/composables/usePermissions";
 
 const store = useMessageStore();
-const { state } = storeToRefs(store);
-const { can } = usePermissions();
+const { state, canRestore } = storeToRefs(store);
 const isConfirmDialogVisible = ref(false);
 
-const isVisible = computed(() => can("error:messages:unarchive") && state.value.data.failure_status.archived);
+const isVisible = computed(() => canRestore.value && state.value.data.failure_status.archived);
 
 const handleConfirm = async () => {
   isConfirmDialogVisible.value = false;
diff --git a/src/Frontend/src/components/messages/RetryMessageButton.vue b/src/Frontend/src/components/messages/RetryMessageButton.vue
index dee67f722..534bf4515 100644
--- a/src/Frontend/src/components/messages/RetryMessageButton.vue
+++ b/src/Frontend/src/components/messages/RetryMessageButton.vue
@@ -9,16 +9,14 @@ import { MessageStatus } from "@/resources/Message";
 import { storeToRefs } from "pinia";
 import { FailedMessageStatus } from "@/resources/FailedMessage";
 import { faRefresh } from "@fortawesome/free-solid-svg-icons";
-import { usePermissions } from "@/composables/usePermissions";
 
 const store = useMessageStore();
-const { state } = storeToRefs(store);
-const { can } = usePermissions();
+const { state, canRetry } = storeToRefs(store);
 const isConfirmDialogVisible = ref(false);
 
 const failureStatus = computed(() => state.value.data.failure_status);
 const isDisabled = computed(() => failureStatus.value.retried || failureStatus.value.archived || failureStatus.value.resolved);
-const isVisible = computed(() => can("error:messages:retry") && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
+const isVisible = computed(() => canRetry.value && state.value.data.status !== MessageStatus.Successful && state.value.data.status !== MessageStatus.ResolvedSuccessfully);
 
 const handleConfirm = async () => {
   isConfirmDialogVisible.value = false;
diff --git a/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts b/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts
index 5ed2a2a7d..26c3fa017 100644
--- a/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts
+++ b/src/Frontend/src/components/messages/messageButtonPermissions.spec.ts
@@ -7,28 +7,33 @@ import RetryMessageButton from "@/components/messages/RetryMessageButton.vue";
 import EditAndRetryButton from "@/components/messages/EditAndRetryButton.vue";
 import DeleteMessageButton from "@/components/messages/DeleteMessageButton.vue";
 import RestoreMessageButton from "@/components/messages/RestoreMessageButton.vue";
+import type { ManifestEntry } from "@/stores/AllowedRoutesStore";
 
-// Each failed-message action button is gated on its own ServiceControl permission. These
-// tests pin the per-action gating: with auth enabled + the descriptor loaded, the button
-// shows only when the matching permission is granted.
+// Each failed-message action button is gated on its own ServiceControl route. These
+// tests pin the per-action gating: with auth enabled + the manifest loaded, the button
+// shows only when the matching route is in the allowed set.
 interface ButtonCase {
   name: string;
   component: Component;
-  permission: string;
+  routeKey: string; // normalized route key in AllowedRoutesStore
   text: RegExp;
   archived: boolean; // Restore is only relevant on an archived message; the others on a live one
 }
 
-// Retry / Delete / Restore are hidden when the permission is denied. Edit & retry is handled
+// Retry / Delete / Restore are hidden when the route is not allowed. Edit & retry is handled
 // separately below: it is enabled by a setting and, when on, disabled (not hidden) without
 // the permission.
 const cases: ButtonCase[] = [
-  { name: "Retry", component: RetryMessageButton, permission: "error:messages:retry", text: /Retry message/i, archived: false },
-  { name: "Delete", component: DeleteMessageButton, permission: "error:messages:archive", text: /Delete message/i, archived: false },
-  { name: "Restore", component: RestoreMessageButton, permission: "error:messages:unarchive", text: /Restore/i, archived: true },
+  { name: "Retry", component: RetryMessageButton, routeKey: "POST /api/errors/retry", text: /Retry message/i, archived: false },
+  { name: "Delete", component: DeleteMessageButton, routeKey: "PATCH /api/errors/archive", text: /Delete message/i, archived: false },
+  { name: "Restore", component: RestoreMessageButton, routeKey: "PATCH /api/errors/unarchive", text: /Restore/i, archived: true },
 ];
 
-function renderButton(component: Component, permissions: string[], archived: boolean) {
+function makeRoutes(keys: string[]): Map<string, ManifestEntry> {
+  return new Map(keys.map((k) => [k, { method: "", url_template: "" }]));
+}
+
+function renderButton(component: Component, allowedRouteKeys: string[], archived: boolean) {
   render(component, {
     global: {
       plugins: [
@@ -36,7 +41,7 @@ function renderButton(component: Component, permissions: string[], archived: boo
           stubActions: true,
           initialState: {
             auth: { authEnabled: true, isAuthenticated: true },
-            PermissionsStore: { permissions: new Set(permissions), loaded: true, loadAttempted: true },
+            AllowedRoutesStore: { routes: makeRoutes(allowedRouteKeys), loaded: true, loadAttempted: true },
             MessageStore: {
               state: { data: { id: "msg-1", status: MessageStatus.Failed, failure_status: { archived } } },
               edit_and_retry_config: { enabled: true, locked_headers: [], sensitive_headers: [] },
@@ -55,23 +60,23 @@ describe("failed-message action button permissions", () => {
     document.body.innerHTML = '<div id="modalDisplay"></div>';
   });
 
-  test.each(cases)("$name is shown when its permission is granted", ({ component, permission, text, archived }) => {
-    renderButton(component, [permission], archived);
+  test.each(cases)("$name is shown when its route is allowed", ({ component, routeKey, text, archived }) => {
+    renderButton(component, [routeKey], archived);
     expect(screen.queryByText(text)).not.toBeNull();
   });
 
-  test.each(cases)("$name is hidden when its permission is denied", ({ component, text, archived }) => {
+  test.each(cases)("$name is hidden when its route is not allowed", ({ component, text, archived }) => {
     renderButton(component, [], archived);
     expect(screen.queryByText(text)).toBeNull();
   });
 
-  test("Edit & retry is shown and enabled when error:messages:edit is granted", () => {
-    renderButton(EditAndRetryButton, ["error:messages:edit"], false);
+  test("Edit & retry is shown and enabled when edit route is allowed", () => {
+    renderButton(EditAndRetryButton, ["POST /api/edit/{}"], false);
     const button = screen.getByRole("button", { name: /Edit & retry/i }) as HTMLButtonElement;
     expect(button.disabled).toBe(false);
   });
 
-  test("Edit & retry is shown but disabled when error:messages:edit is denied", () => {
+  test("Edit & retry is shown but disabled when edit route is not allowed", () => {
     renderButton(EditAndRetryButton, [], false);
     const button = screen.getByRole("button", { name: /Edit & retry/i }) as HTMLButtonElement;
     expect(button.disabled).toBe(true);
diff --git a/src/Frontend/src/components/monitoring/EndpointInstances.vue b/src/Frontend/src/components/monitoring/EndpointInstances.vue
index 8f662e80b..611750e55 100644
--- a/src/Frontend/src/components/monitoring/EndpointInstances.vue
+++ b/src/Frontend/src/components/monitoring/EndpointInstances.vue
@@ -1,5 +1,5 @@
 <script setup lang="ts">
-import { computed, ref, onMounted } from "vue";
+import { ref, onMounted } from "vue";
 import { useRouter, RouterLink } from "vue-router";
 import { formatGraphDecimal, formatGraphDuration, smallGraphsMinimumYAxis } from "./formatGraph";
 import { storeToRefs } from "pinia";
@@ -14,17 +14,11 @@ import FAIcon from "@/components/FAIcon.vue";
 import { faEnvelope, faTrash } from "@fortawesome/free-solid-svg-icons";
 import monitoringClient from "./monitoringClient";
 import logger from "@/logger";
-import { usePermissions } from "@/composables/usePermissions";
-
-const { can } = usePermissions();
-// The remove control is a hover-revealed link (not a button), so gate its visibility
-// rather than disabling it.
-const canDeleteMonitoredEndpoints = computed(() => can("monitoring:endpoint:delete"));
 
 const isRemovingEndpointEnabled = ref<boolean>(false);
 const router = useRouter();
 const monitoringEndpointDetailsStore = useMonitoringEndpointDetailsStore();
-const { endpointDetails: endpoint, endpointName } = storeToRefs(monitoringEndpointDetailsStore);
+const { endpointDetails: endpoint, endpointName, canDeleteMonitoredEndpoint } = storeToRefs(monitoringEndpointDetailsStore);
 
 async function removeEndpoint(endpointName: string, instance: ExtendedEndpointInstance) {
   try {
@@ -153,7 +147,7 @@ onMounted(async () => {
 
                 <!--remove endpoint-->
                 <div class="col-xs-2 col-xl-1 no-side-padding">
-                  <a v-if="isRemovingEndpointEnabled && instance.isStale && canDeleteMonitoredEndpoints" class="remove-endpoint" @click="removeEndpoint(endpointName, instance)">
+                  <a v-if="isRemovingEndpointEnabled && instance.isStale && canDeleteMonitoredEndpoint" class="remove-endpoint" @click="removeEndpoint(endpointName, instance)">
                     <FAIcon :icon="faTrash" v-tippy="`Remove endpoint`" />
                   </a>
                 </div>
diff --git a/src/Frontend/src/components/monitoring/monitoringClient.ts b/src/Frontend/src/components/monitoring/monitoringClient.ts
index 5793d5f09..0c6b20785 100644
--- a/src/Frontend/src/components/monitoring/monitoringClient.ts
+++ b/src/Frontend/src/components/monitoring/monitoringClient.ts
@@ -91,6 +91,15 @@ class MonitoringClient {
     return false;
   }
 
+  public async fetchAllowedRoutes() {
+    if (this.isMonitoringDisabled) {
+      return undefined;
+    }
+    // Unlike the other Monitoring endpoints (served at root), MyRoutesController has a class-level
+    // "api" route prefix (it is the shared controller used by both Primary and Monitoring instances).
+    return await authFetch(`${this.url}api/my/routes`);
+  }
+
   public get isMonitoringEnabled() {
     return this.url && this.url !== "!" ? true : false;
   }
diff --git a/src/Frontend/src/composables/apiRoutes.ts b/src/Frontend/src/composables/apiRoutes.ts
new file mode 100644
index 000000000..3ac666ace
--- /dev/null
+++ b/src/Frontend/src/composables/apiRoutes.ts
@@ -0,0 +1,37 @@
+// Maps each gated UI capability to the ServiceControl HTTP route it represents.
+// This is the ONLY place coupling ServicePulse to ServiceControl's route surface:
+// the UI gates on routes it already calls, never on the internal permission grammar.
+// Paths use {} for each route parameter; matching is param-name-insensitive (see routeMatching.ts).
+// Each entry tracks a route in ServiceControl's APIApprovals.HttpApiRoutes (Primary or Monitoring instance).
+export type RouteRef = { method: string; path: string };
+
+export const ApiRoutes = {
+  // ---- nav / verb-level (GET routes gated by the matching :view permission) ----
+  viewHeartbeats: { method: "GET", path: "/api/heartbeats/stats" }, // error:heartbeats:view (EndpointsMonitoringController)
+  viewMonitoredEndpoints: { method: "GET", path: "/monitored-endpoints" }, // Monitoring instance serves at root (no /api prefix) — monitoring:endpoint:view (DiagramApiController)
+  viewAuditMessages: { method: "GET", path: "/api/messages2" }, // error:messages:view (GetMessages2Controller)
+  viewFailedMessages: { method: "GET", path: "/api/errors" }, // error:messages:view (GetAllErrorsController)
+  viewCustomChecks: { method: "GET", path: "/api/customchecks" }, // error:customchecks:view (CustomCheckController)
+  viewEventLog: { method: "GET", path: "/api/eventlogitems" }, // error:eventlog:view (EventLogApiController)
+  viewThroughput: { method: "GET", path: "/api/licensing/report/available" }, // error:throughput:view (LicensingController)
+  viewLicense: { method: "GET", path: "/api/license" }, // error:licensing:view (LicenseController)
+  viewConnections: { method: "GET", path: "/api/connection" }, // error:connections:view (ConnectionController)
+  viewNotifications: { method: "GET", path: "/api/notifications/email" }, // error:notifications:view (NotificationsController)
+  viewRedirects: { method: "GET", path: "/api/redirects" }, // error:redirects:view (MessageRedirectsController)
+  viewEndpoints: { method: "GET", path: "/api/endpoints" }, // error:endpoints:view (EndpointsMonitoringController)
+  manageThroughput: { method: "POST", path: "/api/licensing/settings/masks/update" }, // error:throughput:manage (LicensingController)
+  // ---- actions ----
+  manageNotifications: { method: "POST", path: "/api/notifications/email" },
+  testNotifications: { method: "POST", path: "/api/notifications/email/test" },
+  manageRedirects: { method: "POST", path: "/api/redirects" },
+  dismissCustomCheck: { method: "DELETE", path: "/api/customchecks/{}" },
+  retryMessage: { method: "POST", path: "/api/errors/retry" },
+  editMessage: { method: "POST", path: "/api/edit/{}" },
+  deleteMessage: { method: "PATCH", path: "/api/errors/archive" },
+  restoreMessage: { method: "PATCH", path: "/api/errors/unarchive" },
+  retryGroup: { method: "POST", path: "/api/recoverability/groups/{}/errors/retry" },
+  deleteGroup: { method: "POST", path: "/api/recoverability/groups/{}/errors/archive" },
+  restoreGroup: { method: "POST", path: "/api/recoverability/groups/{}/errors/unarchive" },
+  deleteEndpointInstance: { method: "DELETE", path: "/api/endpoints/{}" },
+  deleteMonitoredEndpoint: { method: "DELETE", path: "/monitored-instance/{}/{}" }, // Monitoring instance serves at root (no /api prefix)
+} as const satisfies Record<string, RouteRef>;
diff --git a/src/Frontend/src/composables/permissionMatching.spec.ts b/src/Frontend/src/composables/permissionMatching.spec.ts
deleted file mode 100644
index 7b175aafe..000000000
--- a/src/Frontend/src/composables/permissionMatching.spec.ts
+++ /dev/null
@@ -1,55 +0,0 @@
-import { describe, test, expect } from "vitest";
-import { matchesPattern, entryPermits, type PermissionEntry } from "@/composables/permissionMatching";
-import scopeVectors from "@/composables/scope-vectors.json";
-
-describe("permissionMatching", () => {
-  // Shared vectors: these MUST produce the same result in the ServiceControl
-  // ResourceScope/FilterByQueueScope tests. entryPermits with a resource is the
-  // frontend equivalent of the server's ResourceScope.Permits.
-  describe("scope-vectors.json (shared with ServiceControl)", () => {
-    test.each(scopeVectors.vectors)("$name", ({ allow, deny, resource, permits }) => {
-      const entry: PermissionEntry = { permission: "messages:view", scope: { allow, deny } };
-      expect(entryPermits(entry, resource)).toBe(permits);
-    });
-  });
-
-  describe("matchesPattern", () => {
-    test("universal wildcard matches everything", () => {
-      expect(matchesPattern("*", "anything")).toBe(true);
-    });
-
-    test("prefix crosses dots but excludes the bare prefix", () => {
-      expect(matchesPattern("sales.*", "sales.orders.eu")).toBe(true);
-      expect(matchesPattern("sales.*", "sales")).toBe(false);
-    });
-
-    test("is case-insensitive on both sides", () => {
-      expect(matchesPattern("Sales.Orders", "sales.orders")).toBe(true);
-      expect(matchesPattern("SALES.*", "sales.orders")).toBe(true);
-    });
-  });
-
-  describe("entryPermits scope semantics", () => {
-    test("null scope is unrestricted for any resource", () => {
-      const entry: PermissionEntry = { permission: "messages:retry", scope: null };
-      expect(entryPermits(entry, "anything")).toBe(true);
-    });
-
-    test("null scope passes the verb-level check", () => {
-      const entry: PermissionEntry = { permission: "messages:retry", scope: null };
-      expect(entryPermits(entry)).toBe(true);
-    });
-
-    test("verb-level check (no resource) passes for a scoped entry", () => {
-      // Holding the permission for *some* scope counts at the verb level.
-      const entry: PermissionEntry = { permission: "messages:retry", scope: { allow: ["sales.*"], deny: [] } };
-      expect(entryPermits(entry)).toBe(true);
-    });
-
-    test("resource-level check enforces the scope", () => {
-      const entry: PermissionEntry = { permission: "messages:retry", scope: { allow: ["sales.*"], deny: [] } };
-      expect(entryPermits(entry, "sales.orders")).toBe(true);
-      expect(entryPermits(entry, "finance.invoicing")).toBe(false);
-    });
-  });
-});
diff --git a/src/Frontend/src/composables/permissionMatching.ts b/src/Frontend/src/composables/permissionMatching.ts
deleted file mode 100644
index 4a5918c65..000000000
--- a/src/Frontend/src/composables/permissionMatching.ts
+++ /dev/null
@@ -1,52 +0,0 @@
-// DORMANT — not currently wired into the UI. ServiceControl does not yet expose
-// per-resource (per-queue) scopes; today's my/permissions/all returns a flat list of
-// permission strings (see usePermissions/PermissionsStore). This module is kept ready
-// for when the backend gains allow/deny scopes, at which point a PermissionEntry will
-// carry a ScopeDescriptor and can(permission, resource) can enforce it.
-
-// A scope's allow/deny resource patterns. null (on an entry) means unrestricted.
-export interface ScopeDescriptor {
-  allow: string[];
-  deny: string[];
-}
-
-// A single scoped permission grant (the future descriptor entry shape).
-export interface PermissionEntry {
-  permission: string;
-  scope: ScopeDescriptor | null;
-}
-
-// Resource-scope pattern matching. This MUST stay in lockstep with the
-// ServiceControl server-side rules: `ResourceScope.Matches` (C#) and
-// `FilterByQueueScope` (RavenDB query translation). The shared behaviour is
-// pinned by scope-vectors.json, which both this suite and the ServiceControl
-// test suite consume.
-//
-// Patterns:
-//   "*"        matches everything
-//   "prefix.*" prefix match crossing dots: "sales.*" matches "sales.orders"
-//              and "sales.secret.payroll", but NOT bare "sales"
-//   exact      case-insensitive equality
-//
-// Matching is case-insensitive: the server lowercases both sides (queue
-// addresses are stored lowercased in the index), so we do the same here.
-export function matchesPattern(pattern: string, resource: string): boolean {
-  const p = pattern.toLowerCase();
-  const r = resource.toLowerCase();
-  if (p === "*") return true;
-  if (p === r) return true;
-  if (p.endsWith(".*")) return r.startsWith(p.slice(0, -1)); // "sales.*" -> "sales."
-  return false;
-}
-
-// Whether a single permission entry permits access.
-//   scope null          -> unrestricted (any resource; verb-level true)
-//   resource undefined  -> verb-level check: holding the permission counts
-//   resource provided   -> allow AND NOT deny, deny wins
-export function entryPermits(entry: PermissionEntry, resource?: string): boolean {
-  if (entry.scope === null) return true;
-  if (resource === undefined) return true;
-  const allowed = entry.scope.allow.some((pattern) => matchesPattern(pattern, resource));
-  const denied = entry.scope.deny.some((pattern) => matchesPattern(pattern, resource));
-  return allowed && !denied;
-}
diff --git a/src/Frontend/src/composables/routeMatching.spec.ts b/src/Frontend/src/composables/routeMatching.spec.ts
new file mode 100644
index 000000000..6ebbfd012
--- /dev/null
+++ b/src/Frontend/src/composables/routeMatching.spec.ts
@@ -0,0 +1,14 @@
+import { describe, it, expect } from "vitest";
+import { normalizeRouteKey } from "@/composables/routeMatching";
+
+describe("normalizeRouteKey", () => {
+  it.each([
+    ["POST", "/api/errors/{id}/retry", "POST /api/errors/{}/retry"],
+    ["post", "/api/errors/{failedMessageId}/retry", "POST /api/errors/{}/retry"], // param-name-insensitive + verb case
+    ["GET", "/api/errors", "GET /api/errors"],
+    ["DELETE", "/api/monitored-instance/{name}/{instanceId}", "DELETE /api/monitored-instance/{}/{}"],
+    ["GET", "api/messages2", "GET /api/messages2"], // adds leading slash
+  ])("normalizes %s %s", (method, path, expected) => {
+    expect(normalizeRouteKey(method, path)).toBe(expected);
+  });
+});
diff --git a/src/Frontend/src/composables/routeMatching.ts b/src/Frontend/src/composables/routeMatching.ts
new file mode 100644
index 000000000..64e75ba5f
--- /dev/null
+++ b/src/Frontend/src/composables/routeMatching.ts
@@ -0,0 +1,7 @@
+// Normalizes a (method, path) into a comparison key for allowed-route matching.
+// Param names are collapsed to {} so matching couples only to method + path STRUCTURE
+// (the stable public contract), surviving server route-parameter renames.
+export function normalizeRouteKey(method: string, path: string): string {
+  const normalizedPath = path.replace(/\{[^}]*\}/g, "{}").replace(/^\/?/, "/");
+  return `${method.toUpperCase()} ${normalizedPath}`;
+}
diff --git a/src/Frontend/src/composables/scope-vectors.json b/src/Frontend/src/composables/scope-vectors.json
deleted file mode 100644
index 29e0788b2..000000000
--- a/src/Frontend/src/composables/scope-vectors.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-  "description": "Shared resource-scope test vectors. Consumed by ServicePulse (permissionMatching.spec.ts) and, later, by ServiceControl (ResourceScope/FilterByQueueScope tests) so all implementations of the matcher agree. permits = does scope {allow,deny} permit `resource`.",
-  "vectors": [
-    { "name": "exact allow matches", "allow": ["sales.orders"], "deny": [], "resource": "sales.orders", "permits": true },
-    { "name": "exact allow does not match other", "allow": ["sales.orders"], "deny": [], "resource": "finance.invoicing", "permits": false },
-    { "name": "prefix matches child", "allow": ["sales.*"], "deny": [], "resource": "sales.orders", "permits": true },
-    { "name": "prefix matches deeper child", "allow": ["sales.*"], "deny": [], "resource": "sales.secret.payroll", "permits": true },
-    { "name": "prefix does not match bare prefix", "allow": ["sales.*"], "deny": [], "resource": "sales", "permits": false },
-    { "name": "universal wildcard matches anything", "allow": ["*"], "deny": [], "resource": "anything.at.all", "permits": true },
-    { "name": "empty allow denies everything", "allow": [], "deny": [], "resource": "sales.orders", "permits": false },
-    { "name": "deny prefix wins over allow wildcard", "allow": ["*"], "deny": ["finance.*"], "resource": "finance.accounts", "permits": false },
-    { "name": "deny exact denies only exact", "allow": ["*"], "deny": ["finance"], "resource": "finance.payroll", "permits": true },
-    { "name": "deny exact matches exact", "allow": ["*"], "deny": ["finance"], "resource": "finance", "permits": false },
-    { "name": "carve-out: allow prefix, deny sub-prefix (public allowed)", "allow": ["sales.*"], "deny": ["sales.secret.*"], "resource": "sales.public.orders", "permits": true },
-    { "name": "carve-out: allow prefix, deny sub-prefix (secret denied)", "allow": ["sales.*"], "deny": ["sales.secret.*"], "resource": "sales.secret.data", "permits": false },
-    { "name": "case-insensitive prefix pattern", "allow": ["Sales.*"], "deny": [], "resource": "sales.orders", "permits": true },
-    { "name": "case-insensitive exact pattern", "allow": ["Finance.Payroll"], "deny": [], "resource": "finance.payroll", "permits": true },
-    { "name": "case-insensitive deny pattern", "allow": ["*"], "deny": ["Finance.*"], "resource": "finance.accounts", "permits": false }
-  ]
-}
diff --git a/src/Frontend/src/composables/useAllowedRoutes.spec.ts b/src/Frontend/src/composables/useAllowedRoutes.spec.ts
new file mode 100644
index 000000000..8843a47c4
--- /dev/null
+++ b/src/Frontend/src/composables/useAllowedRoutes.spec.ts
@@ -0,0 +1,61 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { setActivePinia, createPinia } from "pinia";
+import { useAllowedRoutesStore } from "@/stores/AllowedRoutesStore";
+import { useAuthStore } from "@/stores/AuthStore";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
+
+vi.mock("@/components/serviceControlClient", () => ({
+  default: { fetchFromServiceControl: vi.fn(), fetchTypedFromServiceControl: vi.fn() },
+}));
+vi.mock("@/components/monitoring/monitoringClient", () => ({
+  default: { isMonitoringEnabled: false, fetchAllowedRoutes: vi.fn() },
+}));
+
+describe("useAllowedRoutes", () => {
+  beforeEach(() => setActivePinia(createPinia()));
+
+  function arrange(enabled: boolean, authed: boolean, keys: string[]) {
+    const auth = useAuthStore();
+    auth.authEnabled = enabled;
+    auth.isAuthenticated = authed;
+    const store = useAllowedRoutesStore();
+    store.routes = new Map(keys.map((k) => [k, { method: "", url_template: "" }]));
+    store.loaded = keys.length > 0;
+    store.loadAttempted = true;
+  }
+
+  it("allows a granted route", () => {
+    arrange(true, true, ["POST /api/errors/retry"]);
+    expect(useAllowedRoutes().canCall(ApiRoutes.retryMessage)).toBe(true);
+  });
+  it("denies an ungranted route when gating", () => {
+    arrange(true, true, ["GET /api/errors"]);
+    expect(useAllowedRoutes().canCall(ApiRoutes.retryMessage)).toBe(false);
+  });
+  it("fails open when auth disabled", () => {
+    arrange(false, false, []);
+    expect(useAllowedRoutes().canCall(ApiRoutes.retryMessage)).toBe(true);
+  });
+  it("canCall accepts and ignores a resource argument", () => {
+    arrange(true, true, ["POST /api/errors/retry"]);
+    expect(useAllowedRoutes().canCall(ApiRoutes.retryMessage, { queue: "billing" })).toBe(true);
+  });
+  it("canAnyCall is true if any entry is granted", () => {
+    arrange(true, true, ["GET /api/errors"]);
+    expect(useAllowedRoutes().canAnyCall([ApiRoutes.retryMessage, ApiRoutes.viewFailedMessages])).toBe(true);
+  });
+
+  it("ready is false when auth on + authenticated but loadAttempted is false, then true after loadAttempted", () => {
+    const auth = useAuthStore();
+    auth.authEnabled = true;
+    auth.isAuthenticated = true;
+    const store = useAllowedRoutesStore();
+    store.routes = new Map();
+    store.loaded = false;
+    store.loadAttempted = false;
+    expect(useAllowedRoutes().ready.value).toBe(false);
+    store.loadAttempted = true;
+    expect(useAllowedRoutes().ready.value).toBe(true);
+  });
+});
diff --git a/src/Frontend/src/composables/useAllowedRoutes.ts b/src/Frontend/src/composables/useAllowedRoutes.ts
new file mode 100644
index 000000000..1473963c2
--- /dev/null
+++ b/src/Frontend/src/composables/useAllowedRoutes.ts
@@ -0,0 +1,33 @@
+import { computed } from "vue";
+import { storeToRefs } from "pinia";
+import { useAllowedRoutesStore } from "@/stores/AllowedRoutesStore";
+import { useAuthStore } from "@/stores/AuthStore";
+import { normalizeRouteKey } from "@/composables/routeMatching";
+import type { RouteRef } from "@/composables/apiRoutes";
+
+// Route-aware gating composable (the primitive). The resource-owning view-model calls canCall and
+// exposes the result; templates bind. Gating is fail-open: only applies once authorization is enabled,
+// the user is authenticated and the manifest has loaded — otherwise everything is shown.
+export function useAllowedRoutes() {
+  const store = useAllowedRoutesStore();
+  const { authEnabled, isAuthenticated } = storeToRefs(useAuthStore());
+
+  const shouldGate = computed(() => authEnabled.value && isAuthenticated.value && store.loaded);
+  const ready = computed(() => !(authEnabled.value && isAuthenticated.value) || store.loadAttempted);
+
+  function fetchManifest(): Promise<void> {
+    return store.refresh();
+  }
+
+  // resource: reserved for future resource-level scope (ignored today). See design Future-proofing.
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  function canCall(entry: RouteRef, _resource?: object): boolean {
+    return !shouldGate.value || store.routes.has(normalizeRouteKey(entry.method, entry.path));
+  }
+
+  function canAnyCall(entries: RouteRef[]): boolean {
+    return entries.some((e) => canCall(e));
+  }
+
+  return { fetchManifest, canCall, canAnyCall, shouldGate, ready };
+}
diff --git a/src/Frontend/src/composables/useAuthenticatedFetch.ts b/src/Frontend/src/composables/useAuthenticatedFetch.ts
index 2fa2d0cfa..220ea4482 100644
--- a/src/Frontend/src/composables/useAuthenticatedFetch.ts
+++ b/src/Frontend/src/composables/useAuthenticatedFetch.ts
@@ -1,4 +1,6 @@
 import { useAuthStore } from "@/stores/AuthStore";
+import { useShowToast } from "@/composables/toast";
+import { TYPE } from "vue-toastification";
 
 const UNAUTHENTICATED_ENDPOINTS = ["/api/authentication/configuration"];
 
@@ -6,11 +8,24 @@ function isUnauthenticatedEndpoint(url: string): boolean {
   return UNAUTHENTICATED_ENDPOINTS.some((endpoint) => url.includes(endpoint));
 }
 
+async function handle403Toast(response: Response): Promise<void> {
+  let message = "You do not have permission to perform this action.";
+  try {
+    const body = await response.clone().json();
+    if (body?.message) message = body.message;
+  } catch {
+    // keep default message
+  }
+  useShowToast(TYPE.ERROR, "Forbidden", message);
+}
+
 /**
  * Authenticated fetch wrapper that automatically includes JWT token
  * in the Authorization header when authentication is enabled.
+ * When a 403 response is received the denial reason from ServiceControl's
+ * structured body ({ error, message }) is surfaced as an error toast.
  */
-export function authFetch(input: RequestInfo, init?: RequestInit): Promise<Response> {
+export async function authFetch(input: RequestInfo, init?: RequestInit): Promise<Response> {
   const authStore = useAuthStore();
   const url = typeof input === "string" ? input : input.url;
 
@@ -34,5 +49,11 @@ export function authFetch(input: RequestInfo, init?: RequestInit): Promise<Respo
   const headers = new Headers(init?.headers);
   headers.set("Authorization", `Bearer ${token}`);
 
-  return fetch(input, { ...init, headers });
+  const response = await fetch(input, { ...init, headers });
+
+  if (response.status === 403) {
+    await handle403Toast(response);
+  }
+
+  return response;
 }
diff --git a/src/Frontend/src/composables/usePermissions.spec.ts b/src/Frontend/src/composables/usePermissions.spec.ts
deleted file mode 100644
index 35e6bf73f..000000000
--- a/src/Frontend/src/composables/usePermissions.spec.ts
+++ /dev/null
@@ -1,163 +0,0 @@
-import { describe, test, expect, beforeEach, vi } from "vitest";
-import { createTestingPinia } from "@pinia/testing";
-import { setActivePinia } from "pinia";
-
-vi.mock("@/components/serviceControlClient", () => ({
-  default: { fetchFromServiceControl: vi.fn() },
-}));
-
-import serviceControlClient from "@/components/serviceControlClient";
-import logger from "@/logger";
-import { usePermissions } from "@/composables/usePermissions";
-import { usePermissionsStore } from "@/stores/PermissionsStore";
-import { useAuthStore } from "@/stores/AuthStore";
-
-const fetchFromServiceControl = vi.mocked(serviceControlClient.fetchFromServiceControl);
-
-// Minimal Response-like stub for the bits the composable reads.
-function response(status: number, body?: unknown): Response {
-  return {
-    ok: status >= 200 && status < 300,
-    status,
-    statusText: `status ${status}`,
-    json: () => Promise.resolve(body),
-  } as Response;
-}
-
-function withState(opts: { authEnabled: boolean; isAuthenticated: boolean; permissions: string[] | null }) {
-  const auth = useAuthStore();
-  auth.authEnabled = opts.authEnabled;
-  auth.isAuthenticated = opts.isAuthenticated;
-  if (opts.permissions !== null) {
-    usePermissionsStore().setDescriptor({ user: "alice", permissions: opts.permissions });
-  }
-  return usePermissions();
-}
-
-describe("usePermissions", () => {
-  beforeEach(() => {
-    setActivePinia(createTestingPinia({ stubActions: false }));
-    fetchFromServiceControl.mockReset();
-  });
-
-  describe("can / canAny (fail-open gating)", () => {
-    test("fails open when authorization is disabled", () => {
-      const { can, shouldGate } = withState({ authEnabled: false, isAuthenticated: true, permissions: [] });
-      expect(shouldGate.value).toBe(false);
-      expect(can("error:messages:retry")).toBe(true);
-    });
-
-    test("fails open when the user is not authenticated", () => {
-      const { can } = withState({ authEnabled: true, isAuthenticated: false, permissions: [] });
-      expect(can("error:messages:retry")).toBe(true);
-    });
-
-    test("fails open until the descriptor has loaded", () => {
-      const { can } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
-      expect(can("error:messages:retry")).toBe(true);
-    });
-
-    test("gates per permission once enabled, authenticated and loaded", () => {
-      const { can, shouldGate } = withState({ authEnabled: true, isAuthenticated: true, permissions: ["error:messages:view"] });
-      expect(shouldGate.value).toBe(true);
-      expect(can("error:messages:view")).toBe(true);
-      expect(can("error:messages:retry")).toBe(false);
-    });
-
-    test("canAny is true when any permission is held", () => {
-      const { canAny } = withState({ authEnabled: true, isAuthenticated: true, permissions: ["error:redirects:view"] });
-      expect(canAny(["error:licensing:view", "error:redirects:view"])).toBe(true);
-      expect(canAny(["error:licensing:view", "error:notifications:view"])).toBe(false);
-    });
-  });
-
-  describe("ready (gate-on-ready)", () => {
-    test("ready immediately when authorization is disabled (nothing to gate)", () => {
-      const { ready } = withState({ authEnabled: false, isAuthenticated: true, permissions: null });
-      expect(ready.value).toBe(true);
-    });
-
-    test("not ready while authenticated and the fetch has not settled", () => {
-      const { ready } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
-      expect(ready.value).toBe(false);
-    });
-
-    test("ready after a successful fetch settles", async () => {
-      const { ready, fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
-      fetchFromServiceControl.mockResolvedValue(response(200, { user: "alice", permissions: [] }));
-
-      await fetchDescriptor();
-
-      expect(ready.value).toBe(true);
-    });
-
-    test("ready after a failed fetch settles, and can() then fails open", async () => {
-      vi.spyOn(logger, "warn").mockImplementation(() => {});
-      const { ready, can, fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
-      fetchFromServiceControl.mockResolvedValue(response(500));
-
-      await fetchDescriptor();
-
-      expect(ready.value).toBe(true);
-      expect(can("error:messages:view")).toBe(true); // fail-open: loaded never became true
-    });
-  });
-
-  describe("fetchDescriptor", () => {
-    test("200 fetches my/permissions/all and populates the store", async () => {
-      const { fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
-      fetchFromServiceControl.mockResolvedValue(response(200, { user: "alice", permissions: ["error:messages:view"] }));
-
-      await fetchDescriptor();
-
-      expect(fetchFromServiceControl).toHaveBeenCalledWith("my/permissions/all");
-      const store = usePermissionsStore();
-      expect(store.loaded).toBe(true);
-      expect(store.permissions.has("error:messages:view")).toBe(true);
-    });
-
-    test("a non-OK response leaves the store intact and warns", async () => {
-      const warn = vi.spyOn(logger, "warn").mockImplementation(() => {});
-      const { fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: ["error:messages:view"] });
-      fetchFromServiceControl.mockResolvedValue(response(401));
-
-      await fetchDescriptor();
-
-      expect(usePermissionsStore().permissions.has("error:messages:view")).toBe(true); // unchanged
-      expect(warn).toHaveBeenCalled();
-      warn.mockRestore();
-    });
-
-    test("a thrown request is logged and leaves the store intact", async () => {
-      const error = vi.spyOn(logger, "error").mockImplementation(() => {});
-      const failure = new Error("boom");
-      const { fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
-      fetchFromServiceControl.mockRejectedValue(failure);
-
-      await fetchDescriptor();
-
-      expect(usePermissionsStore().loaded).toBe(false);
-      expect(error).toHaveBeenCalledWith("Error fetching permissions", failure);
-      error.mockRestore();
-    });
-
-    test("concurrent calls share a single in-flight request", async () => {
-      let resolveFetch: (value: Response) => void = () => {};
-      const pending = new Promise<Response>((resolve) => (resolveFetch = resolve));
-      fetchFromServiceControl.mockReturnValue(pending);
-
-      const { fetchDescriptor } = withState({ authEnabled: true, isAuthenticated: true, permissions: null });
-      const first = fetchDescriptor();
-      const second = fetchDescriptor();
-
-      expect(fetchFromServiceControl).toHaveBeenCalledTimes(1);
-
-      resolveFetch(response(200, { user: "alice", permissions: [] }));
-      await Promise.all([first, second]);
-
-      // Slot released after settling, so a later call fetches again.
-      await fetchDescriptor();
-      expect(fetchFromServiceControl).toHaveBeenCalledTimes(2);
-    });
-  });
-});
diff --git a/src/Frontend/src/composables/usePermissions.ts b/src/Frontend/src/composables/usePermissions.ts
deleted file mode 100644
index f3de7f88d..000000000
--- a/src/Frontend/src/composables/usePermissions.ts
+++ /dev/null
@@ -1,42 +0,0 @@
-import { computed } from "vue";
-import { storeToRefs } from "pinia";
-import { usePermissionsStore } from "@/stores/PermissionsStore";
-import { useAuthStore } from "@/stores/AuthStore";
-
-// Permission-aware composable. Consumers (button v-ifs, nav filters) are UX-only: they
-// hide what the user cannot do. ServiceControl remains the real authority; the descriptor
-// the store holds is a cache of the effective permission set the server would enforce.
-//
-// Gating is fail-open: it only kicks in once authorization is enabled, the user is
-// authenticated and the descriptor has loaded. Otherwise everything is shown, so the UI
-// is unchanged for auth-disabled and older-ServiceControl deployments.
-export function usePermissions() {
-  const store = usePermissionsStore();
-  const { authEnabled, isAuthenticated } = storeToRefs(useAuthStore());
-
-  const shouldGate = computed(() => authEnabled.value && isAuthenticated.value && store.loaded);
-
-  // Whether gating decisions can be made: true when there is nothing to gate (auth off or
-  // user not authenticated) or once a fetch has settled. Consumers use this to hold UI until
-  // permissions are known (gate-on-ready), so items don't appear and then disappear.
-  const ready = computed(() => !(authEnabled.value && isAuthenticated.value) || store.loadAttempted);
-
-  // Fetch (or join an in-flight fetch of) the current user's permissions.
-  function fetchDescriptor(): Promise<void> {
-    return store.refresh();
-  }
-
-  // Whether the current user holds `permission` (e.g. "error:messages:retry").
-  // Fail-open until gating applies.
-  function can(permission: string): boolean {
-    return !shouldGate.value || store.permissions.has(permission);
-  }
-
-  // Whether the user holds ANY of the given permissions. Handy for showing a parent nav
-  // item when the user can reach at least one child.
-  function canAny(permissions: string[]): boolean {
-    return permissions.some((permission) => can(permission));
-  }
-
-  return { fetchDescriptor, can, canAny, shouldGate, ready };
-}
diff --git a/src/Frontend/src/stores/AllowedRoutesStore.spec.ts b/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
new file mode 100644
index 000000000..b8ffaf998
--- /dev/null
+++ b/src/Frontend/src/stores/AllowedRoutesStore.spec.ts
@@ -0,0 +1,79 @@
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { setActivePinia, createPinia } from "pinia";
+import { ApiRoutes } from "@/composables/apiRoutes";
+import { normalizeRouteKey } from "@/composables/routeMatching";
+
+const scFetch = vi.fn();
+const monFetch = vi.fn();
+vi.mock("@/components/serviceControlClient", () => ({ default: { fetchFromServiceControl: (s: string) => scFetch(s) } }));
+vi.mock("@/components/monitoring/monitoringClient", () => ({
+  default: {
+    get isMonitoringEnabled() {
+      return true;
+    },
+    fetchAllowedRoutes: () => monFetch(),
+  },
+}));
+
+import { useAllowedRoutesStore } from "@/stores/AllowedRoutesStore";
+
+const ok = (body: unknown) => ({ ok: true, status: 200, json: () => Promise.resolve(body) });
+
+describe("AllowedRoutesStore", () => {
+  beforeEach(() => {
+    setActivePinia(createPinia());
+    scFetch.mockReset();
+    monFetch.mockReset();
+  });
+
+  it("merges Primary and Monitoring manifests into normalized keys", async () => {
+    scFetch.mockResolvedValue(ok([{ method: "POST", url_template: "/api/errors/{id}/retry" }]));
+    monFetch.mockResolvedValue(ok([{ method: "DELETE", url_template: "/api/monitored-instance/{n}/{i}" }]));
+    const store = useAllowedRoutesStore();
+    await store.refresh();
+    expect(store.routes.has("POST /api/errors/{}/retry")).toBe(true);
+    expect(store.routes.has("DELETE /api/monitored-instance/{}/{}")).toBe(true);
+    expect(store.loaded).toBe(true);
+  });
+
+  it("fails open per instance: a 404 from one instance contributes nothing but does not throw", async () => {
+    scFetch.mockResolvedValue(ok([{ method: "GET", url_template: "/api/errors" }]));
+    monFetch.mockResolvedValue({ ok: false, status: 404, json: () => Promise.resolve({}) });
+    const store = useAllowedRoutesStore();
+    await store.refresh();
+    expect(store.routes.has("GET /api/errors")).toBe(true);
+    expect(store.loadAttempted).toBe(true);
+  });
+
+  it("treats a non-array 200 response body as a failed instance: loaded stays false when both return non-array", async () => {
+    scFetch.mockResolvedValue(ok({}));
+    monFetch.mockResolvedValue(ok(null));
+    const store = useAllowedRoutesStore();
+    await store.refresh();
+    expect(store.loaded).toBe(false);
+    expect(store.loadAttempted).toBe(true);
+  });
+
+  it("fails open globally: loaded is false when both instances fail with network errors", async () => {
+    scFetch.mockRejectedValue(new Error("network error"));
+    monFetch.mockRejectedValue(new Error("network error"));
+    const store = useAllowedRoutesStore();
+    await store.refresh();
+    expect(store.loaded).toBe(false);
+    expect(store.loadAttempted).toBe(true);
+  });
+
+  it("Monitoring manifest entry at root (no /api prefix) matches the ApiRoutes registry path", async () => {
+    // The Monitoring instance serves monitored-endpoints at root — no /api prefix.
+    // This test pins the cross-repo path contract: the manifest entry the Monitoring
+    // instance returns must round-trip through normalizeRouteKey to produce the same
+    // key as the registry uses for viewMonitoredEndpoints.
+    scFetch.mockResolvedValue(ok([]));
+    monFetch.mockResolvedValue(ok([{ method: "GET", url_template: "/monitored-endpoints" }]));
+    const store = useAllowedRoutesStore();
+    await store.refresh();
+    const expectedKey = normalizeRouteKey(ApiRoutes.viewMonitoredEndpoints.method, ApiRoutes.viewMonitoredEndpoints.path);
+    expect(expectedKey).toBe("GET /monitored-endpoints");
+    expect(store.routes.has(expectedKey)).toBe(true);
+  });
+});
diff --git a/src/Frontend/src/stores/AllowedRoutesStore.ts b/src/Frontend/src/stores/AllowedRoutesStore.ts
new file mode 100644
index 000000000..5c19413a3
--- /dev/null
+++ b/src/Frontend/src/stores/AllowedRoutesStore.ts
@@ -0,0 +1,76 @@
+import { acceptHMRUpdate, defineStore } from "pinia";
+import { ref } from "vue";
+import serviceControlClient from "@/components/serviceControlClient";
+import monitoringClient from "@/components/monitoring/monitoringClient";
+import { normalizeRouteKey } from "@/composables/routeMatching";
+import logger from "@/logger";
+
+export interface ManifestEntry {
+  method: string;
+  // ServiceControl serializes its HTTP API in snake_case, so the manifest field is `url_template`.
+  url_template: string;
+  [k: string]: unknown;
+}
+
+// Holds the allowed-route manifest the current token may call, merged from the instances
+// ServicePulse calls directly (Primary + Monitoring). A Map (not a Set) preserves each entry so a
+// future per-route `scope` field survives (resource-level checks). Keys are normalizeRouteKey().
+export const useAllowedRoutesStore = defineStore("AllowedRoutesStore", () => {
+  const routes = ref<Map<string, ManifestEntry>>(new Map());
+  const loaded = ref(false);
+  const loadAttempted = ref(false);
+
+  // Per-store in-flight guard so concurrent callers share one request. Kept on the store
+  // (not module scope) so each Pinia instance — e.g. a re-mounted app — has its own, and a
+  // stale request can never resolve into a different store instance.
+  let inFlight: Promise<void> | null = null;
+
+  async function fetchInstance(get: () => Promise<Response | undefined>): Promise<ManifestEntry[] | null> {
+    try {
+      const response = await get();
+      if (!response || !response.ok) return null; // per-instance fail-open
+      const json = await response.json();
+      if (!Array.isArray(json)) return null; // guard against non-array bodies (error envelopes, etc.)
+      return json as ManifestEntry[];
+    } catch (error) {
+      logger.warn("Failed to fetch allowed routes", error);
+      return null;
+    }
+  }
+
+  async function load() {
+    try {
+      const [primary, monitoring] = await Promise.all([
+        fetchInstance(() => serviceControlClient.fetchFromServiceControl("my/routes")),
+        fetchInstance(() => (monitoringClient.isMonitoringEnabled ? monitoringClient.fetchAllowedRoutes() : Promise.resolve(undefined))),
+      ]);
+      const merged = new Map<string, ManifestEntry>();
+      for (const list of [primary, monitoring]) {
+        for (const entry of list ?? []) {
+          merged.set(normalizeRouteKey(entry.method, entry.url_template), entry);
+        }
+      }
+      routes.value = merged;
+      loaded.value = primary !== null || monitoring !== null;
+    } finally {
+      loadAttempted.value = true;
+    }
+  }
+
+  // Fetch (or join an in-flight fetch of) the current user's allowed routes.
+  function refresh() {
+    return (inFlight ??= load().finally(() => (inFlight = null)));
+  }
+
+  function clear() {
+    routes.value = new Map();
+    loaded.value = false;
+    loadAttempted.value = false;
+  }
+
+  return { routes, loaded, loadAttempted, refresh, clear };
+});
+
+if (import.meta.hot) {
+  import.meta.hot.accept(acceptHMRUpdate(useAllowedRoutesStore, import.meta.hot));
+}
diff --git a/src/Frontend/src/stores/HealthChecksStore.ts b/src/Frontend/src/stores/HealthChecksStore.ts
index 9612b5632..6aff63c4c 100644
--- a/src/Frontend/src/stores/HealthChecksStore.ts
+++ b/src/Frontend/src/stores/HealthChecksStore.ts
@@ -1,11 +1,13 @@
 import type EmailSettings from "@/components/configuration/EmailSettings";
 import { acceptHMRUpdate, defineStore } from "pinia";
-import { ref } from "vue";
+import { computed, ref } from "vue";
 import serviceControlClient from "@/components/serviceControlClient";
 import type EmailNotifications from "@/resources/EmailNotifications";
 import type UpdateEmailNotificationsSettingsRequest from "@/resources/UpdateEmailNotificationsSettingsRequest";
 import { useEnvironmentAndVersionsStore } from "./EnvironmentAndVersionsStore";
 import logger from "@/logger";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
 export const useHealthChecksStore = defineStore("HealthChecksStore", () => {
   const emailNotifications = ref<EmailSettings>({
@@ -22,6 +24,10 @@ export const useHealthChecksStore = defineStore("HealthChecksStore", () => {
   const environmentStore = useEnvironmentAndVersionsStore();
   const hasResponseStatusInHeaders = environmentStore.serviceControlIsGreaterThan("5.2");
 
+  const { canCall } = useAllowedRoutes();
+  const canManageNotifications = computed(() => canCall(ApiRoutes.manageNotifications));
+  const canTestNotifications = computed(() => canCall(ApiRoutes.testNotifications));
+
   async function refresh() {
     let result: EmailNotifications | null;
     try {
@@ -112,6 +118,8 @@ export const useHealthChecksStore = defineStore("HealthChecksStore", () => {
   return {
     refresh,
     emailNotifications,
+    canManageNotifications,
+    canTestNotifications,
     toggleEmailNotifications,
     saveEmailNotifications,
     testEmailNotifications,
diff --git a/src/Frontend/src/stores/HeartbeatInstancesStore.ts b/src/Frontend/src/stores/HeartbeatInstancesStore.ts
index 98d131bff..5e329e93a 100644
--- a/src/Frontend/src/stores/HeartbeatInstancesStore.ts
+++ b/src/Frontend/src/stores/HeartbeatInstancesStore.ts
@@ -7,6 +7,8 @@ import getSortFunction from "@/components/getSortFunction";
 import { useHeartbeatsStore } from "@/stores/HeartbeatsStore";
 import type { EndpointsView } from "@/resources/EndpointView";
 import serviceControlClient from "@/components/serviceControlClient";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
 export enum ColumnNames {
   InstanceName = "name",
@@ -32,6 +34,9 @@ export const useHeartbeatInstancesStore = defineStore("HeartbeatInstancesStore",
   const sortedInstances = computed<EndpointsView[]>(() => endpointInstances.value.sort(getSortFunction(columnSortings.get(sortByInstances.value.property), sortByInstances.value.isAscending ? SortDirection.Ascending : SortDirection.Descending)));
   const filteredInstances = computed<EndpointsView[]>(() => sortedInstances.value.filter((instance) => !instanceFilterString.value || instance.host_display_name.toLowerCase().includes(instanceFilterString.value.toLowerCase())));
 
+  const { canCall } = useAllowedRoutes();
+  const canDeleteEndpointInstance = computed(() => canCall(ApiRoutes.deleteEndpointInstance));
+
   const refresh = () => store.refresh();
 
   watch(instanceFilterString, (newValue) => {
@@ -57,6 +62,7 @@ export const useHeartbeatInstancesStore = defineStore("HeartbeatInstancesStore",
     sortedInstances,
     filteredInstances,
     instanceFilterString,
+    canDeleteEndpointInstance,
     deleteEndpointInstance,
     toggleEndpointMonitor,
     sortByInstances,
diff --git a/src/Frontend/src/stores/MessageStore.ts b/src/Frontend/src/stores/MessageStore.ts
index 424f388bc..309a7ddb8 100644
--- a/src/Frontend/src/stores/MessageStore.ts
+++ b/src/Frontend/src/stores/MessageStore.ts
@@ -16,6 +16,8 @@ import type EditRetryResponse from "@/resources/EditRetryResponse";
 import type { EditedMessage } from "@/resources/EditMessage";
 import useEnvironmentAndVersionsAutoRefresh from "@/composables/useEnvironmentAndVersionsAutoRefresh";
 import { timeSpanToDuration } from "@/composables/formatter";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
 interface Model {
   id?: string;
@@ -81,6 +83,12 @@ export const useMessageStore = defineStore("MessageStore", () => {
   const { configuration } = storeToRefs(configStore);
   const error_retention_period = computed(() => timeSpanToDuration(configuration.value?.data_retention?.error_retention_period).asHours());
 
+  const { canCall } = useAllowedRoutes();
+  const canRetry = computed(() => canCall(ApiRoutes.retryMessage, state.data));
+  const canEdit = computed(() => canCall(ApiRoutes.editMessage, state.data));
+  const canDelete = computed(() => canCall(ApiRoutes.deleteMessage, state.data));
+  const canRestore = computed(() => canCall(ApiRoutes.restoreMessage, state.data));
+
   async function loadEditAndRetryConfiguration() {
     try {
       const [, data] = await serviceControlClient.fetchTypedFromServiceControl<EditAndRetryConfig>("edit/config");
@@ -367,6 +375,10 @@ export const useMessageStore = defineStore("MessageStore", () => {
     state,
     edit_and_retry_config,
     editRetryResponse,
+    canRetry,
+    canEdit,
+    canDelete,
+    canRestore,
     reset,
     loadMessage,
     loadFailedMessage,
diff --git a/src/Frontend/src/stores/MonitoringEndpointDetailsStore.ts b/src/Frontend/src/stores/MonitoringEndpointDetailsStore.ts
index cb7fb3457..2b6556221 100644
--- a/src/Frontend/src/stores/MonitoringEndpointDetailsStore.ts
+++ b/src/Frontend/src/stores/MonitoringEndpointDetailsStore.ts
@@ -1,5 +1,5 @@
 import { defineStore, acceptHMRUpdate } from "pinia";
-import { ref } from "vue";
+import { computed, ref } from "vue";
 import MessageTypes from "@/components/monitoring/messageTypes";
 import { formatGraphDuration } from "../components/monitoring/formatGraph";
 import { type ExtendedEndpointDetails, type ExtendedEndpointInstance, type MessageType, type EndpointDetails, type EndpointDetailsError, isError } from "@/resources/MonitoringEndpoint";
@@ -10,6 +10,8 @@ import { emptyEndpointDetails } from "@/components/monitoring/endpoints";
 import { useMemoize } from "@vueuse/core";
 import useConnectionsAndStatsAutoRefresh from "@/composables/useConnectionsAndStatsAutoRefresh";
 import monitoringClient from "@/components/monitoring/monitoringClient";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
 export const useMonitoringEndpointDetailsStore = defineStore("MonitoringEndpointDetailsStore", () => {
   const historyPeriodStore = useMonitoringHistoryPeriodStore();
@@ -43,6 +45,9 @@ export const useMonitoringEndpointDetailsStore = defineStore("MonitoringEndpoint
   const messageTypesUpdatedSet = ref<MessageType[]>([]);
   const negativeCriticalTimeIsPresent = ref<boolean>(false);
 
+  const { canCall } = useAllowedRoutes();
+  const canDeleteMonitoredEndpoint = computed(() => canCall(ApiRoutes.deleteMonitoredEndpoint));
+
   async function getEndpointDetails(name: string) {
     const { data, refresh } = getMemoisedEndpointDetails(name, historyPeriodStore.historyPeriod.pVal);
     if (!connectionStore.monitoringConnectionState.unableToConnect) await refresh();
@@ -115,6 +120,7 @@ export const useMonitoringEndpointDetailsStore = defineStore("MonitoringEndpoint
     messageTypesAvailable,
     messageTypesUpdatedSet,
     negativeCriticalTimeIsPresent,
+    canDeleteMonitoredEndpoint,
     updateMessageTypes,
     getEndpointDetails,
   };
diff --git a/src/Frontend/src/stores/PermissionsStore.ts b/src/Frontend/src/stores/PermissionsStore.ts
deleted file mode 100644
index 5fb1db7e3..000000000
--- a/src/Frontend/src/stores/PermissionsStore.ts
+++ /dev/null
@@ -1,72 +0,0 @@
-import { acceptHMRUpdate, defineStore } from "pinia";
-import { ref } from "vue";
-import serviceControlClient from "@/components/serviceControlClient";
-import logger from "@/logger";
-
-// The JSON shape returned by GET api/my/permissions/all (snake_case on the wire).
-// Permissions is a flat list of permission strings, e.g. "error:messages:retry".
-// (ServiceControl has no per-resource scopes yet; when it gains them this descriptor
-// will grow a scope per entry — see the dormant permissionMatching.ts.)
-export interface PermissionsDescriptor {
-  user: string;
-  permissions: string[];
-}
-
-// Holds the current user's effective permission set and loads it from ServiceControl.
-// A Set gives O(1) membership checks for usePermissions().can().
-export const usePermissionsStore = defineStore("PermissionsStore", () => {
-  const user = ref("");
-  const permissions = ref<Set<string>>(new Set());
-  const loaded = ref(false); // a descriptor was successfully applied
-  const loadAttempted = ref(false); // a fetch has settled (success OR failure)
-
-  // Per-store in-flight guard so concurrent callers share one request. Kept on the store
-  // (not module scope) so each Pinia instance — e.g. a re-mounted app — has its own, and a
-  // stale request can never resolve into a different store instance.
-  let inFlight: Promise<void> | null = null;
-
-  function setDescriptor(descriptor: PermissionsDescriptor) {
-    user.value = descriptor.user;
-    permissions.value = new Set(descriptor.permissions);
-    loaded.value = true;
-  }
-
-  async function load() {
-    try {
-      const response = await serviceControlClient.fetchFromServiceControl("my/permissions/all");
-
-      // Leave any existing descriptor intact on failure (fail-safe — don't widen or drop the
-      // user's permissions because of a transient error or a 401), and log it.
-      if (!response.ok) {
-        logger.warn(`Failed to fetch permissions: ${response.status} ${response.statusText}`);
-        return;
-      }
-
-      setDescriptor(await response.json());
-    } catch (error) {
-      logger.error("Error fetching permissions", error);
-    } finally {
-      // Even on failure, mark the attempt settled so gate-on-ready can proceed; can() then
-      // fails open because loaded stayed false.
-      loadAttempted.value = true;
-    }
-  }
-
-  // Fetch (or join an in-flight fetch of) the current user's permissions.
-  function refresh() {
-    return (inFlight ??= load().finally(() => (inFlight = null)));
-  }
-
-  function clear() {
-    user.value = "";
-    permissions.value = new Set();
-    loaded.value = false;
-    loadAttempted.value = false;
-  }
-
-  return { user, permissions, loaded, loadAttempted, setDescriptor, refresh, clear };
-});
-
-if (import.meta.hot) {
-  import.meta.hot.accept(acceptHMRUpdate(usePermissionsStore, import.meta.hot));
-}
diff --git a/src/Frontend/src/stores/RedirectsStore.ts b/src/Frontend/src/stores/RedirectsStore.ts
index 4c7d36499..1cc7dcc5f 100644
--- a/src/Frontend/src/stores/RedirectsStore.ts
+++ b/src/Frontend/src/stores/RedirectsStore.ts
@@ -1,10 +1,12 @@
 import type Redirect from "@/resources/Redirect";
 import type QueueAddress from "@/resources/QueueAddress";
 import { acceptHMRUpdate, defineStore } from "pinia";
-import { reactive } from "vue";
+import { computed, reactive } from "vue";
 import serviceControlClient from "@/components/serviceControlClient";
 import useEnvironmentAndVersionsAutoRefresh from "@/composables/useEnvironmentAndVersionsAutoRefresh";
 import type { RetryRedirect } from "@/components/configuration/RetryRedirectEdit.vue";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
 export interface Redirects {
   data: Redirect[];
@@ -22,6 +24,9 @@ export const useRedirectsStore = defineStore("RedirectsStore", () => {
   const { store: environmentStore } = useEnvironmentAndVersionsAutoRefresh();
   const hasResponseStatusInHeader = environmentStore.serviceControlIsGreaterThan("5.2.0");
 
+  const { canCall } = useAllowedRoutes();
+  const canManageRedirects = computed(() => canCall(ApiRoutes.manageRedirects));
+
   async function getKnownQueues() {
     const [, data] = await serviceControlClient.fetchTypedFromServiceControl<QueueAddress[]>("errors/queues/addresses");
     redirects.queues = data.map((x) => x.physical_address);
@@ -79,7 +84,7 @@ export const useRedirectsStore = defineStore("RedirectsStore", () => {
     };
   }
 
-  return { refresh, redirects, retryPendingMessagesForQueue, createRedirect, updateRedirect, deleteRedirect };
+  return { refresh, redirects, canManageRedirects, retryPendingMessagesForQueue, createRedirect, updateRedirect, deleteRedirect };
 });
 
 if (import.meta.hot) {
diff --git a/src/Frontend/src/views/ConfigurationView.vue b/src/Frontend/src/views/ConfigurationView.vue
index 8525afbfe..f823e23a1 100644
--- a/src/Frontend/src/views/ConfigurationView.vue
+++ b/src/Frontend/src/views/ConfigurationView.vue
@@ -12,7 +12,8 @@ import useConnectionsAndStatsAutoRefresh from "@/composables/useConnectionsAndSt
 import { useRedirectsStore } from "@/stores/RedirectsStore";
 import { useLicenseStore } from "@/stores/LicenseStore";
 import { useAuthStore } from "@/stores/AuthStore";
-import { usePermissions } from "@/composables/usePermissions";
+import { useAllowedRoutes } from "@/composables/useAllowedRoutes";
+import { ApiRoutes } from "@/composables/apiRoutes";
 
 const { store: throughputStore } = useThroughputStoreAutoRefresh();
 const { hasErrors } = storeToRefs(throughputStore);
@@ -23,9 +24,9 @@ const licenseStore = useLicenseStore();
 const { licenseStatus } = licenseStore;
 const authStore = useAuthStore();
 
-// Each tab gates on the specific permission ServiceControl enforces for it. Gate-on-ready:
+// Each tab gates on the specific route ServiceControl enforces for it. Gate-on-ready:
 // the tab row is held until permissions are known, so tabs don't appear and then disappear.
-const { can, ready } = usePermissions();
+const { canCall, ready } = useAllowedRoutes();
 
 onMounted(async () => {
   if (notConnected.value) {
@@ -61,12 +62,12 @@ function preventIfDisabled(e: Event) {
     <div class="row">
       <div class="col-sm-12">
         <div class="nav tabs" v-if="ready">
-          <h5 v-if="can('error:licensing:view')" :class="{ active: isRouteSelected(routeLinks.configuration.license.link), disabled: notConnected }" @click.capture="preventIfDisabled" class="nav-item" role="tab" aria-label="license">
+          <h5 v-if="canCall(ApiRoutes.viewLicense)" :class="{ active: isRouteSelected(routeLinks.configuration.license.link), disabled: notConnected }" @click.capture="preventIfDisabled" class="nav-item" role="tab" aria-label="license">
             <RouterLink :to="routeLinks.configuration.license.link">License</RouterLink>
             <exclamation-mark :type="convertToWarningLevel(licenseStatus.warningLevel)" />
           </h5>
           <h5
-            v-if="can('error:throughput:manage')"
+            v-if="canCall(ApiRoutes.manageThroughput)"
             :class="{ active: isRouteSelected(routeLinks.throughput.setup.root) || isRouteSelected(routeLinks.throughput.setup.mask.link) || isRouteSelected(routeLinks.throughput.setup.diagnostics.link), disabled: notConnected }"
             @click.capture="preventIfDisabled"
             class="nav-item"
@@ -78,7 +79,7 @@ function preventIfDisabled(e: Event) {
           </h5>
           <template v-if="!licenseStatus.isExpired">
             <h5
-              v-if="can('error:connections:view')"
+              v-if="canCall(ApiRoutes.viewConnections)"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.massTransitConnector.link),
                 disabled: notConnected,
@@ -91,7 +92,7 @@ function preventIfDisabled(e: Event) {
               <RouterLink :to="routeLinks.configuration.massTransitConnector.link">MassTransit Connector</RouterLink>
             </h5>
             <h5
-              v-if="can('error:notifications:view')"
+              v-if="canCall(ApiRoutes.viewNotifications)"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.healthCheckNotifications.link),
                 disabled: notConnected,
@@ -104,7 +105,7 @@ function preventIfDisabled(e: Event) {
               <RouterLink :to="routeLinks.configuration.healthCheckNotifications.link">Health Check Notifications</RouterLink>
             </h5>
             <h5
-              v-if="can('error:redirects:view')"
+              v-if="canCall(ApiRoutes.viewRedirects)"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.retryRedirects.link),
                 disabled: notConnected,
@@ -117,7 +118,7 @@ function preventIfDisabled(e: Event) {
               <RouterLink :to="routeLinks.configuration.retryRedirects.link">Retry Redirects ({{ redirectsStore.redirects.total }})</RouterLink>
             </h5>
             <h5
-              v-if="can('error:connections:view')"
+              v-if="canCall(ApiRoutes.viewConnections)"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.connections.link),
               }"
@@ -131,7 +132,7 @@ function preventIfDisabled(e: Event) {
               </RouterLink>
             </h5>
             <h5
-              v-if="can('error:endpoints:view')"
+              v-if="canCall(ApiRoutes.viewEndpoints)"
               :class="{
                 active: isRouteSelected(routeLinks.configuration.endpointConnection.link),
                 disabled: notConnected,
@@ -145,7 +146,7 @@ function preventIfDisabled(e: Event) {
             </h5>
           </template>
           <template v-else>
-            <h5 v-if="can('error:connections:view')" :class="{ active: isRouteSelected(routeLinks.configuration.connections.link) }" class="nav-item" role="tab" aria-label="connections">
+            <h5 v-if="canCall(ApiRoutes.viewConnections)" :class="{ active: isRouteSelected(routeLinks.configuration.connections.link) }" class="nav-item" role="tab" aria-label="connections">
               <RouterLink :to="routeLinks.configuration.connections.link">
                 Connections
                 <exclamation-mark v-if="connectionStore.displayConnectionsWarning" :type="WarningLevel.Danger" />
diff --git a/src/Frontend/test/preconditions/authentication.ts b/src/Frontend/test/preconditions/authentication.ts
index 8bfdbc8bc..ba8a73014 100644
--- a/src/Frontend/test/preconditions/authentication.ts
+++ b/src/Frontend/test/preconditions/authentication.ts
@@ -51,66 +51,6 @@ export const hasAuthenticationDisabled =
     return authDisabledConfig;
   };
 
-/**
- * The full ServiceControl permission catalogue (writer/admin). Mirrors
- * ServiceControl's Auth/Permissions.cs. Used as the default for hasUserPermissions so
- * authenticated tests see the full UI unless they opt into a restricted set.
- */
-export const allPermissions: string[] = [
-  "error:messages:view",
-  "error:messages:retry",
-  "error:messages:archive",
-  "error:messages:unarchive",
-  "error:messages:edit",
-  "error:recoverabilitygroups:view",
-  "error:recoverabilitygroups:retry",
-  "error:recoverabilitygroups:archive",
-  "error:recoverabilitygroups:unarchive",
-  "error:endpoints:view",
-  "error:endpoints:manage",
-  "error:endpoints:delete",
-  "error:heartbeats:view",
-  "error:customchecks:view",
-  "error:customchecks:delete",
-  "error:sagas:view",
-  "error:eventlog:view",
-  "error:licensing:view",
-  "error:licensing:manage",
-  "error:notifications:view",
-  "error:notifications:manage",
-  "error:notifications:test",
-  "error:redirects:view",
-  "error:redirects:manage",
-  "error:queues:view",
-  "error:queues:delete",
-  "error:throughput:view",
-  "error:throughput:manage",
-  "error:connections:view",
-  "error:connections:manage",
-  "audit:message:view",
-  "audit:connection:view",
-  "audit:endpoint:view",
-  "audit:saga:view",
-  "monitoring:endpoint:view",
-  "monitoring:endpoint:delete",
-  "monitoring:connection:view",
-  "monitoring:license:view",
-];
-
-/**
- * Mocks GET my/permissions/all (the user's effective permission list).
- * @param permissions - the permission strings to grant (defaults to the full catalogue)
- * @param user - the subject name returned in the descriptor
- */
-export const hasUserPermissions =
-  (permissions: string[] = allPermissions, user = "test-user") =>
-  ({ driver }: SetupFactoryOptions) => {
-    const serviceControlInstanceUrl = window.defaultConfig.service_control_url;
-    driver.mockEndpoint(`${serviceControlInstanceUrl}my/permissions/all`, {
-      body: { user, permissions },
-    });
-  };
-
 /**
  * Authentication enabled with custom configuration
  * @param config - Custom auth configuration to return
@@ -126,9 +66,6 @@ export const hasAuthenticationEnabled =
     driver.mockEndpoint(`${serviceControlInstanceUrl}authentication/configuration`, {
       body: fullConfig,
     });
-    // When auth is enabled the app fetches the user's permissions; provide them by default
-    // (full access) so gate-on-ready can render. Tests can re-mock with a restricted set.
-    hasUserPermissions()({ driver });
     return fullConfig;
   };