Skip to main content
Organizations use role-based access control. Members are assigned roles, and roles contain scopes that grant specific permissions.

Members

Add member

POST /api/organizations/{id}/members
ParameterTypeRequiredDescription
emailbodyYesUser’s email address
role_idbodyNoRole to assign (defaults to Member)
If the user doesn’t have a platform account, they receive an invitation email. Authentication: Organization member + members:invite scope.

Update member role

PUT /api/organizations/{id}/members/{userId}/role
ParameterTypeRequiredDescription
role_idbodyYesNew role ID
Authentication: Organization member + members:manage_roles scope.

Remove member

DELETE /api/organizations/{id}/members/{userId}
Members can remove themselves. Removing other members requires the members:remove scope. Authentication: Organization member + members:remove scope (or self-removal).

Roles

Every organization starts with two default roles:
RoleDescription
AdminAll scopes assigned — full organization access
MemberNo scopes — basic authenticated access

List roles

GET /api/organizations/{id}/roles
Returns all roles with their assigned scopes. Authentication: Organization member required.

Create role

POST /api/organizations/{id}/roles
ParameterTypeRequiredDescription
namebodyYesRole display name
scope_idsbodyNoArray of scope IDs to assign
Authentication: Organization member + members:manage_roles scope.

Get role

GET /api/organizations/{id}/roles/{roleId}
Authentication: Organization member + members:manage_roles scope.

Update role

PATCH /api/organizations/{id}/roles/{roleId}
ParameterTypeDescription
namebodyUpdated role name
scope_idsbodyUpdated scope assignments
Authentication: Organization member + members:manage_roles scope.

Delete role

DELETE /api/organizations/{id}/roles/{roleId}
Cannot delete the default Admin role. Members assigned to the deleted role should be reassigned first. Authentication: Organization member + members:manage_roles scope.

Scopes

List assignable scopes

GET /api/scopes
Returns scopes that can be assigned to organization roles. Authentication: User authentication required.

Get scope

GET /api/scopes/{id}
Authentication: User authentication required.

User invitations

Invite user

POST /api/users/invite
ParameterTypeRequiredDescription
emailbodyYesUser’s email address
orgIdbodyNoOrganization to add the user to
roleIdbodyNoRole to assign in the organization
If orgId is provided, the user is invited to the platform and added to the organization in one step. Authentication: Organization member + members:invite scope.