API

Access control

The access-control API manages project permissions, roles, principals, and role assignments.

Discover permissions

Read the live permission catalog instead of copying a static list:

GET /v1/projects/{project}/permissions

The response includes each permission's description, risk, category, assignability, and compatible principal kinds.

Project access follows four broad rungs: view, run, edit, and admin. Admin is the access-control boundary and is not implied by edit. Action permissions can also scope execution to one action name.

Manage roles

GET /v1/projects/{project}/roles
POST /v1/projects/{project}/roles
GET /v1/projects/{project}/roles/{role_id}
PATCH /v1/projects/{project}/roles/{role_id}
DELETE /v1/projects/{project}/roles/{role_id}

Create a custom role with a small, explicit permission set:

{
  "name": "deploy-runner",
  "description": "Starts approved deploy runs.",
  "permissions": [
    "mobius.project.view",
    "mobius.project.run",
    "actions.execute.deploy.prod"
  ]
}

System roles are assignable but immutable. Create a project role only when no system role matches the workload.

Assign roles

GET /v1/projects/{project}/role-assignments
POST /v1/projects/{project}/role-assignments
DELETE /v1/projects/{project}/role-assignments/{assignment_id}
{
  "principal_id": "<principal-id>",
  "role_id": "<role-id>"
}

A principal may represent a person, API client, worker, or agent. Credentials authenticate as the principal; role assignments decide what it can do.

Next