# Authorization

The Management API uses a role-based access control model with two scopes: **workspace** and **project**. Each management API key carries an embedded set of permissions that determine what it can access.

## Workspace roles

| Role | Description |
|  --- | --- |
| **Admin** | Full workspace control. Creator of a workspace is its initial admin. Manages members, projects, keys, and can delete the workspace. |
| **Member** | Read-only at workspace level. Sees only assigned projects. |


## Project roles

| Role | Description |
|  --- | --- |
| **Editor** | Read and write access to project resources. |
| **Viewer** | Read-only access to project resources. |


### Inheritance

- Workspace **admins** automatically have management access to all projects.
- Workspace **members** do not inherit project access - they must be explicitly assigned as `editor` or `viewer`.
- Removing a workspace member revokes all their project-level assignments.


### Project visibility

- Admins see **all** workspace projects.
- Members see **only** projects where they are explicitly assigned.


## Permissions

Permissions follow the format `mgt:{resource}:{action}`. Actions are `read`, `write`, and `delete`.

### Management permissions

| Permission | Description |
|  --- | --- |
| `mgt:workspace:read` | View workspace details |
| `mgt:workspace:write` | Update workspace settings |
| `mgt:workspace:delete` | Delete the workspace |
| `mgt:member:read` | List workspace members |
| `mgt:member:write` | Invite members, update roles |
| `mgt:member:delete` | Remove members |
| `mgt:project:read` | List and view projects |
| `mgt:project:write` | Create and update projects |
| `mgt:project:delete` | Delete projects |
| `mgt:api_key:read` | List API keys |
| `mgt:api_key:write` | Create API keys |
| `mgt:rpc_key:read` | List RPC keys |
| `mgt:rpc_key:write` | Create RPC keys |
| `mgt:mgt_key:read` | List management keys |
| `mgt:mgt_key:write` | Create management keys |


### Role-permission matrix

| Permission | Admin | Member |
|  --- | --- | --- |
| `mgt:workspace:read` | yes | yes |
| `mgt:workspace:write` | yes | - |
| `mgt:workspace:delete` | yes | - |
| `mgt:member:read` | yes | - |
| `mgt:member:write` | yes | - |
| `mgt:member:delete` | yes | - |
| `mgt:project:read` | yes | assigned only |
| `mgt:project:write` | yes | - |
| `mgt:project:delete` | yes | - |
| `mgt:api_key:read` | yes | - |
| `mgt:api_key:write` | yes | - |
| `mgt:rpc_key:read` | yes | - |
| `mgt:rpc_key:write` | yes | - |
| `mgt:mgt_key:read` | yes | - |
| `mgt:mgt_key:write` | yes | - |


## Next steps

Guide
Resource hierarchy, key types, and common workflows

API Reference
Complete endpoint documentation for management operations