Skip to content
Last updated

Authorization

The Management API uses a role-based access control model with two scopes: workspace and project. Each management API key carries an embedded set of permissions that determine what it can access.

Workspace roles

RoleDescription
AdminFull workspace control. Creator of a workspace is its initial admin. Manages members, projects, keys, and can delete the workspace.
MemberRead-only at workspace level. Sees only assigned projects.

Project roles

RoleDescription
EditorRead and write access to project resources.
ViewerRead-only access to project resources.

Inheritance

  • Workspace admins automatically have management access to all projects.
  • Workspace members do not inherit project access - they must be explicitly assigned as editor or viewer.
  • Removing a workspace member revokes all their project-level assignments.

Project visibility

  • Admins see all workspace projects.
  • Members see only projects where they are explicitly assigned.

Permissions

Permissions follow the format mgt:{resource}:{action}. Actions are read, write, and delete.

Management permissions

PermissionDescription
mgt:workspace:readView workspace details
mgt:workspace:writeUpdate workspace settings
mgt:workspace:deleteDelete the workspace
mgt:member:readList workspace members
mgt:member:writeInvite members, update roles
mgt:member:deleteRemove members
mgt:project:readList and view projects
mgt:project:writeCreate and update projects
mgt:project:deleteDelete projects
mgt:api_key:readList API keys
mgt:api_key:writeCreate API keys
mgt:rpc_key:readList RPC keys
mgt:rpc_key:writeCreate RPC keys
mgt:mgt_key:readList management keys
mgt:mgt_key:writeCreate management keys

Role-permission matrix

PermissionAdminMember
mgt:workspace:readyesyes
mgt:workspace:writeyes-
mgt:workspace:deleteyes-
mgt:member:readyes-
mgt:member:writeyes-
mgt:member:deleteyes-
mgt:project:readyesassigned only
mgt:project:writeyes-
mgt:project:deleteyes-
mgt:api_key:readyes-
mgt:api_key:writeyes-
mgt:rpc_key:readyes-
mgt:rpc_key:writeyes-
mgt:mgt_key:readyes-
mgt:mgt_key:writeyes-

Next steps