AeontelAeontel Docs

Permissions

REST endpoints for permissions. Bearer-auth required.

GET /api/permissions

List permissions.

Query parameters

  • limit (optional): Page size (1–100, default 100).
  • after (optional): Keyset cursor — return the page after this row (next page).
  • before (optional): Keyset cursor — return the page before this row (prev page).
  • ids (optional): Comma-separated list of IDs. Narrows results to these IDs within the caller's accessible scope (does not bypass access checks).
  • filter (optional): Nested filter expression (<Entity>Filter): AND/OR/NOT + per-field comparison operators + relation traversal. JSON-encoded on the query string.
  • orderBy (optional): Multi-key sort (<Entity>OrderBy[]): array of { field: direction } applied in order. Directions: asc/desc plus the four explicit nulls variants. JSON-encoded on the query string.
  • workspace_id (optional): Restrict to grants in this workspace.
  • entity_id (optional): Restrict to grants on this specific entity. Type is encoded in the prefix.
  • subject_id (optional): Restrict to grants for this specific subject. Type is encoded in the prefix; pass null-like sentinels through a separate filter.
  • tier (optional): Restrict to grants at this tier.
  • include_deleted (optional): Soft-deleted (revoked) grant visibility. false (default) — active only. true — active plus revoked. only — revoked only (trash view).
  • created_by (optional): Shorthand: filter where createdBy equals this value.
  • deleted_by (optional): Shorthand: filter where deletedBy equals this value.
  • retention_tier (optional): Shorthand: filter where retentionTier equals this value.

Response

JSON
{
  "data": [
    {
      "id": "<...>",
      "workspaceId": "<...>",
      "entityId": "<...>",
      "subjectId": "<...>",
      "tier": "<...>",
      "createdBy": "<...>",
      "deletedAt": "<...>",
      "deletedBy": "<...>",
      "retentionTier": "<...>",
      "createdAt": "<...>",
      "updatedAt": "<...>"
    }
  ],
  "pageInfo": {
    "total": "number",
    "hasNextPage": "boolean",
    "hasPreviousPage": "boolean",
    "startCursor": "string",
    "endCursor": "string"
  }
}

POST /api/permissions

Grant permission

Grant a tier on an entity to a subject. Caller must hold admin tier on the target entity. If a soft-deleted grant exists for the same (entity, subject) pair it is restored and updated to the new tier.

Request body

JSON
{
  "entityId": "string",
  "subjectId?": "any",
  "tier": "viewer | editor | admin"
}

Response

JSON
{
  "id": "string",
  "workspaceId": "string",
  "entityId": "string",
  "subjectId": "any",
  "tier": "viewer | editor | admin",
  "createdBy": "string",
  "deletedAt": "string",
  "deletedBy": "string",
  "retentionTier": "any",
  "createdAt": "string",
  "updatedAt": "string"
}

GET /api/permissions/{id}

Get a permission by ID.

Path parameters

  • id (required): Permission grant to retrieve.

Response

JSON
{
  "id": "string",
  "workspaceId": "string",
  "entityId": "string",
  "subjectId": "any",
  "tier": "viewer | editor | admin",
  "createdBy": "string",
  "deletedAt": "string",
  "deletedBy": "string",
  "retentionTier": "any",
  "createdAt": "string",
  "updatedAt": "string"
}

PATCH /api/permissions/{id}

Update grant tier

Path parameters

  • id (required): Grant ID (prm_…).

Request body

JSON
{
  "tier": "any"
}

Response

JSON
{
  "id": "string",
  "workspaceId": "string",
  "entityId": "string",
  "subjectId": "any",
  "tier": "viewer | editor | admin",
  "createdBy": "string",
  "deletedAt": "string",
  "deletedBy": "string",
  "retentionTier": "any",
  "createdAt": "string",
  "updatedAt": "string"
}

DELETE /api/permissions/{id}

Revoke permission

Soft-delete a grant. Access stops immediately. Restore via POST /api/permissions/{id}/restore before retention expires.

Path parameters

  • id (required): Grant ID (prm_…).

Response

JSON
{
  "success": "boolean"
}

DELETE /api/permissions/{id}/purge

Permanently delete a revoked permission.

Path parameters

  • id (required): Revoked grant to permanently delete (hard-delete before retention).

Response

JSON
{
  "success": "boolean"
}

POST /api/permissions/{id}/restore

Restore a soft-deleted permission.

Path parameters

  • id (required): Revoked grant to restore. Re-grants the same tier to the same subject.

Response

JSON
{
  "id": "string",
  "workspaceId": "string",
  "entityId": "string",
  "subjectId": "any",
  "tier": "viewer | editor | admin",
  "createdBy": "string",
  "deletedAt": "string",
  "deletedBy": "string",
  "retentionTier": "any",
  "createdAt": "string",
  "updatedAt": "string"
}