Use this matrix to assign least-privilege access.

Auth model

Authenticated endpoints accept:
  • Bearer session token
  • API key via X-Api-Key
Authorization uses resource-action permissions (for example messages:send).

Endpoint permission matrix

DomainCommon endpointsRequired permission
Auth (self-service)/v1/auth/*Session context (no explicit RBAC action)
Channels/v1/channels*channels:read, channels:write, channels:delete
Contacts/v1/contacts*, /v1/contact-tags*contacts:*, tags:*, notes:*
Conversations/v1/conversations*, /v1/labels*conversations:*, labels:*
WAGO chat actions/v1/chats*, /v1/calls*, /v1/groups*, /v1/communities*, /v1/newsletters*, /v1/channels/{channelID}/groupschannels:read, channels:write
Label attachments/v1/labels/chats/attach, /v1/labels/chats/detach, /v1/labels/messages/attach, /v1/labels/messages/detachlabels:write
Messages/v1/messages*messages:send, messages:read
Organization members/v1/members*members:read, members:write, members:delete
Invitations/v1/invitations*invitations:read, invitations:write, invitations:delete
API keys/v1/api-keys*api_keys:read, api_keys:write, api_keys:delete
Templates/v1/templates*templates:read, templates:write, templates:delete
Campaigns/v1/campaigns*campaigns:read, campaigns:write, campaigns:delete
WABA/v1/waba*waba:read, waba:write
Audit/v1/audit-logsaudit_logs:read
CDP/v1/cdp/*custom_fields:*, lifecycle_stages:*, object_types:*, contact_objects:*, events:*, segments:*, activity_log:read

Role baseline (default policy)

  • member: operational read/write on core messaging resources.
  • admin: member + management operations (api_keys, invitations, destructive ops).
  • owner: admin + destructive organization operation.
Start API keys with the smallest permission set, then widen only when requests return 403 for required operations.
For parity endpoints added for WAGO-backed channels, reads stay path/query-driven where they identify a resource cleanly, while command/action endpoints use body-driven POST routes. Examples:
  • messages: POST /v1/messages/react, POST /v1/messages/read, POST /v1/messages/edit, POST /v1/messages/delete
  • chats: POST /v1/chats/pin, POST /v1/chats/archive, POST /v1/chats/history-sync
  • groups: POST /v1/groups/participants, POST /v1/groups/invite-link, POST /v1/groups/leave
  • newsletters: POST /v1/newsletters/subscribe, POST /v1/newsletters/invite-link
For WAGO-backed channels specifically, invite-link generation remains provider-unsupported and returns a stable 400 client error.