diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index 10f7fbca..a93f89c7 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -4,11 +4,12 @@ import debug from 'debug';
 import { PERMISSIONS, ROLE_PERMISSIONS, SHARE_TOKEN_HEADER } from 'lib/constants';
 import { secret } from 'lib/crypto';
 import { createSecureToken, ensureArray, getRandomChars, parseToken } from 'next-basics';
-import { getTeamUser, getTeamWebsite, findTeamWebsiteByUserId } from 'queries';
+import { findTeamWebsiteByUserId, getTeamUser, getTeamWebsite, getWebsitesByUserId } from 'queries';
 import { loadWebsite } from './load';
 import { Auth } from './types';
 
 const log = debug('umami:auth');
+const cloudMode = process.env.CLOUD_MODE;
 
 export async function setAuthKey(user, expire = 0) {
   const authKey = `auth:${getRandomChars(32)}`;
@@ -57,7 +58,15 @@ export async function canViewWebsite({ user, shareToken }: Auth, websiteId: stri
   return !!(await findTeamWebsiteByUserId(websiteId, user.id));
 }
 
-export async function canCreateWebsite({ user }: Auth) {
+export async function canCreateWebsite({ user, grant }: Auth) {
+  if (cloudMode) {
+    if (grant.find(a => a === PERMISSIONS.websiteCreate)) {
+      return true;
+    }
+
+    return (await getWebsitesByUserId(user.id)).count < Number(process.env.WEBSITE_LIMIT);
+  }
+
   if (user.isAdmin) {
     return true;
   }
@@ -109,7 +118,15 @@ export async function canDeleteReport(auth: Auth, report: Report) {
   return canUpdateReport(auth, report);
 }
 
-export async function canCreateTeam({ user }: Auth) {
+export async function canCreateTeam({ user, grant }: Auth) {
+  if (cloudMode) {
+    if (grant.find(a => a === PERMISSIONS.teamCreate)) {
+      return true;
+    }
+
+    return false;
+  }
+
   if (user.isAdmin) {
     return true;
   }
diff --git a/src/lib/middleware.ts b/src/lib/middleware.ts
index 0cb0cb88..18f6cc46 100644
--- a/src/lib/middleware.ts
+++ b/src/lib/middleware.ts
@@ -51,7 +51,7 @@ export const useAuth = createMiddleware(async (req, res, next) => {
   const shareToken = await parseShareToken(req);
 
   let user = null;
-  const { userId, authKey } = payload || {};
+  const { userId, authKey, grant } = payload || {};
 
   if (isUuid(userId)) {
     user = await getUserById(userId);
@@ -72,7 +72,13 @@ export const useAuth = createMiddleware(async (req, res, next) => {
     user.isAdmin = user.role === ROLES.admin;
   }
 
-  (req as any).auth = { user, token, shareToken, authKey };
+  (req as any).auth = {
+    user,
+    grant,
+    token,
+    shareToken,
+    authKey,
+  };
 
   next();
 });
diff --git a/src/lib/types.ts b/src/lib/types.ts
index e1e9da29..3685753e 100644
--- a/src/lib/types.ts
+++ b/src/lib/types.ts
@@ -4,6 +4,7 @@ import {
   DATA_TYPE,
   EVENT_TYPE,
   KAFKA_TOPIC,
+  PERMISSIONS,
   REPORT_FILTER_TYPES,
   REPORT_TYPES,
   ROLES,
@@ -17,6 +18,7 @@ import { TIME_UNIT } from './date';
 type ObjectValues<T> = T[keyof T];
 
 export type TimeUnit = ObjectValues<typeof TIME_UNIT>;
+export type Permission = ObjectValues<typeof PERMISSIONS>;
 
 export type CollectionType = ObjectValues<typeof COLLECTION_TYPE>;
 export type Role = ObjectValues<typeof ROLES>;
@@ -78,6 +80,7 @@ export interface Auth {
     role: string;
     isAdmin: boolean;
   };
+  grant?: Permission[];
   shareToken?: {
     websiteId: string;
   };