--- title: "Permissions" description: "REST endpoints for permissions. Bearer-auth required." section: "API" group: "REST" order: 53 --- ## GET /api/permissions List permissions. **Query parameters** - `limit` (optional): Page size (1–100, default 100). - `after` (optional): Keyset cursor — return the page after this row (next page). - `before` (optional): Keyset cursor — return the page before this row (prev page). - `ids` (optional): Comma-separated list of IDs. Narrows results to these IDs within the caller's accessible scope (does not bypass access checks). - `filter` (optional): Nested filter expression (`Filter`): AND/OR/NOT + per-field comparison operators + relation traversal. JSON-encoded on the query string. - `orderBy` (optional): Multi-key sort (`OrderBy[]`): array of `{ field: direction }` applied in order. Directions: asc/desc plus the four explicit nulls variants. JSON-encoded on the query string. - `workspace_id` (optional): Restrict to grants in this workspace. - `entity_id` (optional): Restrict to grants on this specific entity. Type is encoded in the prefix. - `subject_id` (optional): Restrict to grants for this specific subject. Type is encoded in the prefix; pass `null`-like sentinels through a separate filter. - `tier` (optional): Restrict to grants at this tier. - `include_deleted` (optional): Soft-deleted (revoked) grant visibility. `false` (default) — active only. `true` — active plus revoked. `only` — revoked only (trash view). - `created_by` (optional): Shorthand: filter where `createdBy` equals this value. - `deleted_by` (optional): Shorthand: filter where `deletedBy` equals this value. - `retention_tier` (optional): Shorthand: filter where `retentionTier` equals this value. **Response** ```json { "data": [ { "id": "<...>", "workspaceId": "<...>", "entityId": "<...>", "subjectId": "<...>", "tier": "<...>", "createdBy": "<...>", "deletedAt": "<...>", "deletedBy": "<...>", "retentionTier": "<...>", "createdAt": "<...>", "updatedAt": "<...>" } ], "pageInfo": { "total": "number", "hasNextPage": "boolean", "hasPreviousPage": "boolean", "startCursor": "string", "endCursor": "string" } } ``` ## POST /api/permissions Grant permission Grant a tier on an entity to a subject. Caller must hold `admin` tier on the target entity. If a soft-deleted grant exists for the same (entity, subject) pair it is restored and updated to the new tier. **Request body** ```json { "entityId": "string", "subjectId?": "any", "tier": "viewer | editor | admin" } ``` **Response** ```json { "id": "string", "workspaceId": "string", "entityId": "string", "subjectId": "any", "tier": "viewer | editor | admin", "createdBy": "string", "deletedAt": "string", "deletedBy": "string", "retentionTier": "any", "createdAt": "string", "updatedAt": "string" } ``` ## GET /api/permissions/{id} Get a permission by ID. **Path parameters** - `id` (required): Permission grant to retrieve. **Response** ```json { "id": "string", "workspaceId": "string", "entityId": "string", "subjectId": "any", "tier": "viewer | editor | admin", "createdBy": "string", "deletedAt": "string", "deletedBy": "string", "retentionTier": "any", "createdAt": "string", "updatedAt": "string" } ``` ## PATCH /api/permissions/{id} Update grant tier **Path parameters** - `id` (required): Grant ID (`prm_…`). **Request body** ```json { "tier": "any" } ``` **Response** ```json { "id": "string", "workspaceId": "string", "entityId": "string", "subjectId": "any", "tier": "viewer | editor | admin", "createdBy": "string", "deletedAt": "string", "deletedBy": "string", "retentionTier": "any", "createdAt": "string", "updatedAt": "string" } ``` ## DELETE /api/permissions/{id} Revoke permission Soft-delete a grant. Access stops immediately. Restore via `POST /api/permissions/{id}/restore` before retention expires. **Path parameters** - `id` (required): Grant ID (`prm_…`). **Response** ```json { "success": "boolean" } ``` ## DELETE /api/permissions/{id}/purge Permanently delete a revoked permission. **Path parameters** - `id` (required): Revoked grant to permanently delete (hard-delete before retention). **Response** ```json { "success": "boolean" } ``` ## POST /api/permissions/{id}/restore Restore a soft-deleted permission. **Path parameters** - `id` (required): Revoked grant to restore. Re-grants the same tier to the same subject. **Response** ```json { "id": "string", "workspaceId": "string", "entityId": "string", "subjectId": "any", "tier": "viewer | editor | admin", "createdBy": "string", "deletedAt": "string", "deletedBy": "string", "retentionTier": "any", "createdAt": "string", "updatedAt": "string" } ```