Access Control API
Check permission
POST /access/check
Authorization: Bearer <token>
Content-Type: application/json
{
"userId": "usr_xxxx",
"permission": "console.users.read",
"context": {
"orgId": "org_xxxx"
}
}Response:
{ "allowed": true }Target latency: < 50 ms p99.
Permissions
Register permissions (namespace)
POST /access/permissions
Authorization: Bearer <token>
Content-Type: application/json
{
"namespace": "my-product",
"permissions": [
{ "key": "my-product.reports.read", "description": "View reports" }
]
}List permissions
GET /access/permissions?namespace=console&limit=50
Authorization: Bearer <token>Roles
List roles
GET /access/roles
Authorization: Bearer <token>Get role
GET /access/roles/:id
Authorization: Bearer <token>Create role
POST /access/roles
Authorization: Bearer <token>
Content-Type: application/json
{
"name": "content-editor",
"permissions": ["content-os.access", "content-os.calendar.write"]
}Update role permissions
PATCH /access/roles/:id
Authorization: Bearer <token>
Content-Type: application/json
{
"permissions": ["content-os.access", "content-os.calendar.read"]
}Delete role
DELETE /access/roles/:id
Authorization: Bearer <token>Assignments
Assign role to user
POST /access/assignments
Authorization: Bearer <token>
Content-Type: application/json
{
"userId": "usr_xxxx",
"roleId": "role_xxxx",
"context": { "orgId": "org_xxxx" }
}List user's assignments
GET /identity/users/:userId/assignments
Authorization: Bearer <token>Revoke assignment
DELETE /access/assignments/:assignmentId
Authorization: Bearer <token>