The Management API uses a role-based access control model with two scopes: workspace and project. Each management API key carries an embedded set of permissions that determine what it can access.
| Role | Description |
|---|---|
| Admin | Full workspace control. Creator of a workspace is its initial admin. Manages members, projects, keys, and can delete the workspace. |
| Member | Read-only at workspace level. Sees only assigned projects. |
| Role | Description |
|---|---|
| Editor | Read and write access to project resources. |
| Viewer | Read-only access to project resources. |
- Workspace admins automatically have management access to all projects.
- Workspace members do not inherit project access - they must be explicitly assigned as
editororviewer. - Removing a workspace member revokes all their project-level assignments.
- Admins see all workspace projects.
- Members see only projects where they are explicitly assigned.
Permissions follow the format mgt:{resource}:{action}. Actions are read, write, and delete.
| Permission | Description |
|---|---|
mgt:workspace:read | View workspace details |
mgt:workspace:write | Update workspace settings |
mgt:workspace:delete | Delete the workspace |
mgt:member:read | List workspace members |
mgt:member:write | Invite members, update roles |
mgt:member:delete | Remove members |
mgt:project:read | List and view projects |
mgt:project:write | Create and update projects |
mgt:project:delete | Delete projects |
mgt:api_key:read | List API keys |
mgt:api_key:write | Create API keys |
mgt:rpc_key:read | List RPC keys |
mgt:rpc_key:write | Create RPC keys |
mgt:mgt_key:read | List management keys |
mgt:mgt_key:write | Create management keys |
| Permission | Admin | Member |
|---|---|---|
mgt:workspace:read | yes | yes |
mgt:workspace:write | yes | - |
mgt:workspace:delete | yes | - |
mgt:member:read | yes | - |
mgt:member:write | yes | - |
mgt:member:delete | yes | - |
mgt:project:read | yes | assigned only |
mgt:project:write | yes | - |
mgt:project:delete | yes | - |
mgt:api_key:read | yes | - |
mgt:api_key:write | yes | - |
mgt:rpc_key:read | yes | - |
mgt:rpc_key:write | yes | - |
mgt:mgt_key:read | yes | - |
mgt:mgt_key:write | yes | - |