Skip to content

security

Intended Documentation

Roles and Token Governance

Role matrix and API credential lifecycle for tenant admin operations.

intermediate1 min readimplemented

Roles and Token Governance#

Use enterprise admin endpoints for role visibility and API credential operations.

Role Matrix#

  • GET /admin/roles?tenantId=<tenant>

Returns actor role/permissions and available role matrix for the tenant.

List API Credentials#

  • GET /admin/api-tokens?tenantId=<tenant>

Create API Credential#

  • POST /admin/api-tokens

Request body schema:

  • tenantId (required)
  • name (required)
  • environmentKey (required)
  • scopes (required array)
  • expiresAt (optional ISO datetime)
  • ipAllowlist (optional)
bash
curl -X POST https://api.intended.so/admin/api-tokens \
  -H "Authorization: Bearer mrt_live_abc123" \
  -H "x-tenant-id: tenant_acme_prod" \
  -H "Content-Type: application/json" \
  -d '{
    "tenantId": "tenant_acme_prod",
    "name": "ci-pipeline",
    "environmentKey": "prod",
    "scopes": ["authority:policy:write", "audit:read"]
  }'

Revoke API Credential#

  • POST /admin/api-tokens/:id/revoke

Body:

  • tenantId (required)
  • reason (optional)
bash
curl -X POST https://api.intended.so/admin/api-tokens/cred_123/revoke \
  -H "Authorization: Bearer mrt_live_abc123" \
  -H "x-tenant-id: tenant_acme_prod" \
  -H "Content-Type: application/json" \
  -d '{ "tenantId": "tenant_acme_prod", "reason": "Offboarding" }'

Governance Notes#

  • Credential events are included in GET /admin/api-tokens response.
  • Credential creation returns secret once; persist in a secure secret manager.
  • Role/token changes are audit-tracked and exportable.

Next Steps#