Skip to content

Team & roles API

Invite people to your account and control what they can do with roles. A role is a named bundle of permissions; you assign one to each member (and, with the same model, to API keys).

All endpoints need a bearer token. In practice team, role, and account management is Owner work done from a login session - API keys can never hold team, roles, or account permissions.

For the concept-level overview, see Team & roles.

Owner vs member

  • The Owner is whoever registered the account. They have full access to everything, implicitly - no role to assign, nothing to configure.
  • Everyone else is a Member with exactly one assigned role. Their access is whatever that role grants, and nothing more.

Permission tokens

A permission is a resource:action string, for example pods:read or billing:pay. A wildcard resource:* grants every action on that resource (pods:*). Roles are built from these tokens.

A few actions are more sensitive than the rest - grant them deliberately:

  • pods:console - open a shell inside a pod
  • domains:ssl - issue and manage SSL certificates
  • billing:pay - spend money (top up credit)

The permission catalogue

http
GET /api/permissions

Returns every resource and the actions it supports - the source of truth for what you can put in a role:

json
{
  "resources": [
    { "key": "pods", "label": "Pods", "actions": ["read", "create", "update", "delete", "console"] }
  ]
}

The 16 resources and their actions:

ResourceActions
podsread, create, update, delete, console
networksread, create, update, delete
firewallsread, create, update, delete
domainsread, create, update, delete, ssl
snapshotsread, create, update, delete
backupsread, create, update, delete
emailread, create, update, delete
sshkeysread, create, delete
monitoringread, update
billingread, pay
supportread, create, update
apikeysread, create, delete
rolesread, create, update, delete
teamread, create, update, delete
accountread, update
auditread

Roles

List roles

http
GET /api/roles/

Returns your account's roles, including the four seeded system roles. A Role looks like:

json
{
  "id": "...",
  "name": "Deployer",
  "description": "Can manage pods and domains",
  "permissions": ["pods:*", "domains:read", "domains:update"],
  "isSystem": false,
  "createdAt": "..."
}

System roles

Every account starts with four ready-made roles. They are marked isSystem: true and cannot be edited or deleted:

RoleGrants
Full accessEverything except team, roles, and account settings. The Owner always has those; a custom role can grant them too if you want to delegate.
DeveloperManage pods, networks, firewalls, domains, snapshots, backups, SSH keys, monitoring, and support; read-only email and activity log.
Read-onlyThe read action on everything. Look, don't touch.
BillingFull billing; read-only account and activity log.

Create a role

http
POST /api/roles/
json
{
  "name": "Deployer",
  "description": "Can manage pods and domains",
  "permissions": ["pods:*", "domains:read", "domains:update"]
}

Returns 201 with the new role. You can only grant permissions you hold yourself.

Update a role

http
PUT /api/roles/:roleId
json
{
  "name": "Deployer",
  "description": "Pods, domains, and now snapshots",
  "permissions": ["pods:*", "domains:*", "snapshots:*"]
}

Only your own custom roles - system roles are read-only.

Delete a role

http
DELETE /api/roles/:roleId

Team members

List members

http
GET /api/team/

Invite a member

http
POST /api/team/
json
{
  "username": "bob",
  "firstName": "Bob",
  "lastName": "Lee",
  "email": "bob@example.com",
  "roleId": "<role id>"
}

Sends an email invitation. The invited person clicks the link and sets their own password - you never see or set a temporary one. Leave roleId empty and they start on the least-privilege Read-only role, which you can change later. Returns 201.

Change a member's role

http
PATCH /api/team/:userId/role
json
{ "roleId": "<role id>" }

Enable or disable a member

http
PATCH /api/team/:userId/status
json
{ "isActive": false }

Disabling a member blocks their access without removing them - handy for someone who is away for a while.

Remove a member

http
DELETE /api/team/:userId

Removes them from the account and revokes any API keys they created.

Example

bash
curl -X POST https://cloud-api.microapps.io/api/team/ \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"username":"bob","firstName":"Bob","lastName":"Lee","email":"bob@example.com","roleId":"<role id>"}'

Built for the long tail.