API
Access control
The access-control API manages project permissions, roles, principals, and role assignments.
Discover permissions
Read the live permission catalog instead of copying a static list:
GET /v1/projects/{project}/permissionsThe response includes each permission's description, risk, category, assignability, and compatible principal kinds.
Project access follows four broad rungs: view, run, edit, and admin. Admin is the access-control boundary and is not implied by edit. Action permissions can also scope execution to one action name.
Manage roles
GET /v1/projects/{project}/roles
POST /v1/projects/{project}/roles
GET /v1/projects/{project}/roles/{role_id}
PATCH /v1/projects/{project}/roles/{role_id}
DELETE /v1/projects/{project}/roles/{role_id}Create a custom role with a small, explicit permission set:
{
"name": "deploy-runner",
"description": "Starts approved deploy runs.",
"permissions": [
"mobius.project.view",
"mobius.project.run",
"actions.execute.deploy.prod"
]
}System roles are assignable but immutable. Create a project role only when no system role matches the workload.
Assign roles
GET /v1/projects/{project}/role-assignments
POST /v1/projects/{project}/role-assignments
DELETE /v1/projects/{project}/role-assignments/{assignment_id}{
"principal_id": "<principal-id>",
"role_id": "<role-id>"
}A principal may represent a person, API client, worker, or agent. Credentials authenticate as the principal; role assignments decide what it can do.
Next
- Choose roles in the app with roles.
- Understand non-human principals with API clients.
- Inspect the permissions, roles, and assignments schemas.