Permissions

Marvia API uses permission-scoped API keys to securely control access to its features. Each API key can be assigned specific permissions for different entities (e.g., Locations, Users, Groups). These permissions determine which actions are allowed when using the key.

Why Permissions Matter

Having granular permissions helps to:

Enforce the principle of least privilege

Protect sensitive operations like user management

Limit the damage if an API key is ever exposed

If an API request is made without the required permission, it will be denied with a clear error response. For example:

{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Missing permission: read:locations"
  }
}

Permission Format

Each permission follows the format: <action>:<entity>

Examples:

read:locations → Read Locations (List or Get details)

create:users → Create Users

update:groups → Update Groups

delete:locations → Delete Locations

API endpoints map to permissions based on their HTTP method:

HTTP Method	Action	Required Permission
`GET`	Read data	`read:<entity>`
`POST`	Create data	`create:<entity>`
`PUT`/`PATCH`	Update data	`update:<entity>`
`DELETE`	Delete data	`delete:<entity>`

Example: List Locations

Required Permission: read:locations

Editing Permissions

To modify permissions for an existing key:

Go to Settings → Connections → Marvia API

Locate the relevant API key

Click Edit

API Keys

Add or remove permissions as needed

API Keys

Save changes

View permissions applied to confirm (optional)

API Keys

Permissions

Why Permissions Matter#

Permission Format#

Example: List Locations#

Editing Permissions#

Why Permissions Matter

Permission Format

Example: List Locations

Editing Permissions