Role

Create a temporary permission grant

post

/v1/{organization}/role/temporary_permission_grant/

Create a new temporary permission grant.

The user that is given the grant will be able to perform actions permitted by the grant for a limited amount of time. Note that any actions that require comparing the permissions of the user and the permissions of another entity would still use the user and the other entity's role, without factoring into the temporary permission grants.

Permissions

This endpoint requires the following permissions:

Role:CreateTemporaryPermissionGrant for the grant to create.

Authorizations

AuthorizationstringRequired

The username should be set to {org_id}_{user_id}, and the password should be the Amigo issued JWT token that identifies the user.

AuthorizationstringRequired

Amigo issued JWT token that identifies an user. It's issued either after logging in through the frontend, or manually through the SignInWithAPIKey endpoint.

X-ORG-IDstringRequired

An optional organization identifier that indicates from which organization the token is issued. This is used in rare cases where the user to authenticate is making a request for resources in another organization.

Path parameters

organizationstringRequired

Header parameters

x-mongo-cluster-nameany ofOptional

The Mongo cluster name to perform this request in. This is usually not needed unless the organization does not exist yet in the Amigo organization infra config database.

stringOptional

nullOptional

Sec-WebSocket-Protocolstring[]OptionalDefault: []

Body

user_idstringRequired

The ID of the user to grant the temporary permission to.

durationstring · durationRequired

In ISO8601 format, the duration that this permission grant will last.

justificationstring · min: 10Required

A justification for why this grant is made.

Responses

201

Succeeded

application/json

401

Invalid authorization credentials.

403

Missing required permissions.

404

Specified organization or user is not found.

422

Invalid request path parameter or request body failed validation.

429

The user has exceeded the rate limit of 100 requests per minute for this endpoint.

503

The service is going through temporary maintenance.

post

/v1/{organization}/role/temporary_permission_grant/

POST /v1/{organization}/role/temporary_permission_grant/ HTTP/1.1
Host: api.amigo.ai
Authorization: Bearer YOUR_SECRET_TOKEN
X-ORG-ID: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 219

{
  "user_id": "text",
  "duration": "text",
  "permission_grant": {
    "permission_name": "text",
    "conditions": {
      "ANY_ADDITIONAL_PROPERTY": {
        "type": "Equals",
        "value": null
      }
    }
  },
  "tags": {
    "ANY_ADDITIONAL_PROPERTY": "text"
  },
  "justification": "text"
}

{
  "temporary_permission_grant_id": "text",
  "expires_at": "2026-03-13T17:21:00.352Z"
}

Get temporary permission grants

get

/v1/{organization}/role/temporary_permission_grants/

Retrieve the temporary permission grants that match the given filters.

Permissions

This endpoint may be impacted by the following permissions:

Only temporary permission grants that the authenticated user has Role:GetTemporaryPermissionGrant permission for will be returned.

Authorizations

AuthorizationstringRequired

The username should be set to {org_id}_{user_id}, and the password should be the Amigo issued JWT token that identifies the user.

AuthorizationstringRequired

Amigo issued JWT token that identifies an user. It's issued either after logging in through the frontend, or manually through the SignInWithAPIKey endpoint.

X-ORG-IDstringRequired

Path parameters

organizationstringRequired

Query parameters

idstring[]Optional

The IDs of the temporary permission grants to retrieve.

Default: []

user_idstring[]Optional

The user IDs of the temporary permission grants to retrieve.

Default: []

permission_grant_nameany ofOptional

The permission name of the grants.

stringOptional

nullOptional

is_expiredany ofOptional

Whether to only return expired or unexpired temporary permission grants.

booleanOptional

nullOptional

limitinteger · max: 10Optional

The maximum number of temporary permission grants to return.

Default: 10

continuation_tokenintegerOptional

The continuation token to use to retrieve the next set of temporary permission grants.

Default: 0

creatorstring[]Optional

The creators of the temporary permission grants.

Default: []

tagstring[]Optional

The tags of the temporary permission grants. Must be specified using the syntax key:value, which means to match all sets with the given key and value pair among its tags. If value is *, it means the value does not matter. If value is empty, it matches against when the value is None.

Default: []

sort_bystring[]Optional

The fields to sort the sets by. Supported fields are user_id, expires_at, and permission_grant.permission_name. Specify a + before the field name to indicate ascending sorting and - for descending sorting. Multiple fields can be specified to break ties.

Default: []

Header parameters

x-mongo-cluster-nameany ofOptional

The Mongo cluster name to perform this request in. This is usually not needed unless the organization does not exist yet in the Amigo organization infra config database.

stringOptional

nullOptional

Sec-WebSocket-Protocolstring[]OptionalDefault: []

Responses

200

Succeeded.

application/json

has_morebooleanRequired

Whether there are more temporary permission grants to retrieve.

continuation_tokenany ofRequired

The continuation token to use to retrieve the next set of temporary permission grants.

integerOptional

nullOptional

401

Invalid authorization credentials.

403

Missing required permissions.

404

Specified organization is not found.

422

Invalid request path parameter or request query parameter failed validation.

429

The user has exceeded the rate limit of 100 requests per minute for this endpoint.

503

The service is going through temporary maintenance.

get

/v1/{organization}/role/temporary_permission_grants/

GET /v1/{organization}/role/temporary_permission_grants/ HTTP/1.1
Host: api.amigo.ai
Authorization: Bearer YOUR_SECRET_TOKEN
X-ORG-ID: YOUR_API_KEY
Accept: */*

{
  "temporary_permission_grants": [
    {
      "_id": "text",
      "org_id": "text",
      "created_at": "2026-03-13T17:21:00.352Z",
      "updated_at": "2026-03-13T17:21:00.352Z",
      "user_id": "text",
      "expires_at": "2026-03-13T17:21:00.352Z",
      "permission_grant": {
        "permission_name": "text",
        "conditions": {
          "ANY_ADDITIONAL_PROPERTY": {
            "type": "Equals",
            "value": null
          }
        }
      },
      "justification": "text",
      "creator": {
        "org_id": "text",
        "user_id": "text"
      },
      "tags": {
        "ANY_ADDITIONAL_PROPERTY": "text"
      }
    }
  ],
  "has_more": true,
  "continuation_token": 1
}

Get roles

get

/v1/{organization}/role/

Return a list of roles in this organization.

Permissions

This endpoint may be impacted by the following permissions:

Only roles that the authenticated user has the Role:GetRole permission on will be returned.

Authorizations

AuthorizationstringRequired

The username should be set to {org_id}_{user_id}, and the password should be the Amigo issued JWT token that identifies the user.

AuthorizationstringRequired

Amigo issued JWT token that identifies an user. It's issued either after logging in through the frontend, or manually through the SignInWithAPIKey endpoint.

X-ORG-IDstringRequired

Path parameters

organizationstringRequired

Query parameters

return_permission_grantsbooleanOptional

Whether to return permission grants.

Default: false

idstring[]Optional

The IDs of the roles to retrieve.

Default: []

namestring[]Optional

The names of the roles to retrieve.

Default: []

Header parameters

x-mongo-cluster-nameany ofOptional

The Mongo cluster name to perform this request in. This is usually not needed unless the organization does not exist yet in the Amigo organization infra config database.

stringOptional

nullOptional

Sec-WebSocket-Protocolstring[]OptionalDefault: []

Responses

200

Succeeded

application/json

401

Invalid authorization credentials.

403

Missing required permissions.

404

Specified organization is not found.

422

Invalid request path parameter or request query parameter failed validation.

429

The user has exceeded the rate limit of 20 requests per minute for this endpoint.

503

The service is going through temporary maintenance.

get

/v1/{organization}/role/

GET /v1/{organization}/role/ HTTP/1.1
Host: api.amigo.ai
Authorization: Bearer YOUR_SECRET_TOKEN
X-ORG-ID: YOUR_API_KEY
Accept: */*

{
  "roles": [
    {
      "id": "text",
      "name": "text",
      "description": "text",
      "frontend_view": "client",
      "permission_grants": [
        {
          "permission_name": "text",
          "conditions": {
            "ANY_ADDITIONAL_PROPERTY": {
              "type": "Equals",
              "value": null
            }
          }
        }
      ]
    }
  ]
}

Create a role

post

/v1/{organization}/role/

Create a new role.

Permissions

This endpoint requires the following permissions:

Role:CreateRole for the role.

Authorizations

AuthorizationstringRequired

The username should be set to {org_id}_{user_id}, and the password should be the Amigo issued JWT token that identifies the user.

AuthorizationstringRequired

Amigo issued JWT token that identifies an user. It's issued either after logging in through the frontend, or manually through the SignInWithAPIKey endpoint.

X-ORG-IDstringRequired

Path parameters

organizationstringRequired

Header parameters

x-mongo-cluster-nameany ofOptional

The Mongo cluster name to perform this request in. This is usually not needed unless the organization does not exist yet in the Amigo organization infra config database.

stringOptional

nullOptional

Sec-WebSocket-Protocolstring[]OptionalDefault: []

Body

role_namestring · min: 1 · max: 256Required

The name of the role to create. The role must have a max length of 256 characters.

descriptionstring · min: 1Required

A description about the role.

frontend_viewstring · enumRequired

The frontend view for users of this role.

Possible values:

Responses

201

Succeeded

application/json

401

Invalid authorization credentials.

403

Missing required permissions.

404

Specified organization or inherited role is not found.

409

Role with the same name already exists in this organization.

422

Invalid request path parameter or request body failed validation.

429

The user has exceeded the rate limit of 20 requests per minute for this endpoint.

503

The service is going through temporary maintenance.

post

/v1/{organization}/role/

POST /v1/{organization}/role/ HTTP/1.1
Host: api.amigo.ai
Authorization: Bearer YOUR_SECRET_TOKEN
X-ORG-ID: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 187

{
  "role_name": "text",
  "description": "text",
  "permission_grants": [
    {
      "permission_name": "text",
      "conditions": {
        "ANY_ADDITIONAL_PROPERTY": {
          "type": "Equals",
          "value": null
        }
      }
    }
  ],
  "frontend_view": "client"
}

{
  "role_id": "text"
}

Modify a role

post

/v1/{organization}/role/{role_name}

Modify an existing role. The roles are modified in-place unless immutable fields are modified, in which case a new role with the same name is created, and all users/API keys assigned to the previous role are switched to the new role. The old role document will expire after 1 day.

Permissions

This endpoint requires the following permissions:

Role:ModifyRole for the role.

This endpoint may require the authenticated user to have great privileges than the new role if a new role document is created as a result of immutable field changes.

Authorizations

AuthorizationstringRequired

The username should be set to {org_id}_{user_id}, and the password should be the Amigo issued JWT token that identifies the user.

AuthorizationstringRequired

Amigo issued JWT token that identifies an user. It's issued either after logging in through the frontend, or manually through the SignInWithAPIKey endpoint.

X-ORG-IDstringRequired

Path parameters

role_namestringRequired

The name of the role.

organizationstringRequired

Header parameters

x-mongo-cluster-nameany ofOptional

The Mongo cluster name to perform this request in. This is usually not needed unless the organization does not exist yet in the Amigo organization infra config database.

stringOptional

nullOptional

Sec-WebSocket-Protocolstring[]OptionalDefault: []

Body

descriptionany ofOptional

A description about the role. Only updated if specified. This field is a mutable field.

string · min: 1Optional

nullOptional

permission_grantsany ofOptional

A list of permission grants associated with this role. Only updated if specified. This field is an immutable field.

nullOptional

frontend_viewany ofOptional

The frontend view for the user of this role. Only updated if specified. This field is an immutable field.

string · enumOptionalPossible values:

nullOptional

Responses

200

Succeeded

application/json

role_idstringRequired

The identifier of the updated role.

400

Base roles cannot inherit from other roles.

401

Invalid authorization credentials.

403

Missing required permissions.

404

Specified organization, role, or inherited role is not found.

422

Invalid request path parameter or request body failed validation.

429

The user has exceeded the rate limit of 10 requests per minute for this endpoint.

503

The service is going through temporary maintenance.

post

/v1/{organization}/role/{role_name}

POST /v1/{organization}/role/{role_name} HTTP/1.1
Host: api.amigo.ai
Authorization: Bearer YOUR_SECRET_TOKEN
X-ORG-ID: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 168

{
  "description": "text",
  "permission_grants": [
    {
      "permission_name": "text",
      "conditions": {
        "ANY_ADDITIONAL_PROPERTY": {
          "type": "Equals",
          "value": null
        }
      }
    }
  ],
  "frontend_view": "client"
}

{
  "role_id": "text"
}

Assign a role to user

post

/v1/{organization}/role/{role_name}/assign

Assign a role to a user.

Permissions

This endpoint requires the following permissions:

The authenticated user to have greater privileges than the role being assigned.

Authorizations

AuthorizationstringRequired

The username should be set to {org_id}_{user_id}, and the password should be the Amigo issued JWT token that identifies the user.

AuthorizationstringRequired

Amigo issued JWT token that identifies an user. It's issued either after logging in through the frontend, or manually through the SignInWithAPIKey endpoint.

X-ORG-IDstringRequired

Path parameters

organizationstringRequired

role_namestringRequired

The name of the role to assign.

Header parameters

x-mongo-cluster-nameany ofOptional

The Mongo cluster name to perform this request in. This is usually not needed unless the organization does not exist yet in the Amigo organization infra config database.

stringOptional

nullOptional

Sec-WebSocket-Protocolstring[]OptionalDefault: []

Body

user_idstringRequired

The identifier of the user to assign the role to.

Responses

200

Succeeded

application/json

role_idstringRequired

The identifier of the role assigned to the user.

401

Invalid authorization credentials.

403

Missing required permissions.

404

Specified organization, role, or user is not found.

422

Invalid request path parameter or request body failed validation.

429

The user has exceeded the rate limit of 1000 requests per minute for this endpoint.

503

The service is going through temporary maintenance.

post

/v1/{organization}/role/{role_name}/assign

POST /v1/{organization}/role/{role_name}/assign HTTP/1.1
Host: api.amigo.ai
Authorization: Bearer YOUR_SECRET_TOKEN
X-ORG-ID: YOUR_API_KEY
Content-Type: application/json
Accept: */*
Content-Length: 18

{
  "user_id": "text"
}

{
  "role_id": "text"
}

PreviousUser NextAdmin

Last updated 5 minutes ago

Was this helpful?

Good evening

hashtagCreate a temporary permission grant

hashtagGet temporary permission grants

hashtagGet roles

hashtagCreate a role

hashtagModify a role

hashtagAssign a role to user

Create a temporary permission grant

Get temporary permission grants

Get roles

Create a role

Modify a role

Assign a role to user