Qeet Docs
API reference

Roles & checks

Roles, permissions, user/group assignments, effective permissions, and the single-call /check (with explain).

The full authorization model is in Authorization; this is the endpoint reference. Authenticate with Authorization: ApiKey qk_… (or a Bearer JWT on user routes).

Permissions & roles

GET/v1/permissionsList platform permissions
POST/v1/tenants/{tenantID}/rolesCreate a role
GET/v1/tenants/{tenantID}/rolesList roles
POST/v1/roles/{roleID}/permissions/{permID}Grant a permission to a role
DELETE/v1/roles/{roleID}/permissions/{permID}Revoke a permission from a role

Assignments

PUT/v1/users/{userID}/tenants/{tenantID}/roles/{roleID}Assign a role to a user
DELETE/v1/users/{userID}/tenants/{tenantID}/roles/{roleID}Unassign a role from a user
PUT/v1/tenants/{tenantID}/groups/{groupID}/roles/{roleID}Grant a role to a group
GET/v1/users/{userID}/tenants/{tenantID}/permissionsEffective permissions

Check

A single call answers "may this principal do X?". Add ?explain=true for the grant-path trace.

GET/v1/checkAuthorize an action
Bash
curl "https://api.qeetid.com/v1/check?user_id=$U&tenant_id=$T&permission=billing:write" \
  -H "Authorization: ApiKey $QEETID_API_KEY"
# → { "allowed": true }
with explain
Bash
curl "https://api.qeetid.com/v1/check?user_id=$U&tenant_id=$T&permission=billing:write&explain=true" \
  -H "Authorization: ApiKey $QEETID_API_KEY"
# → { "allowed": true, "paths": [ { "granted_by": "role:…", "via": "group:…" } ] }

See Authorization → Explainable authz for the full response shape.

Tenants

Tenant (workspace) lifecycle and the per-tenant configuration endpoints.

Sessions

Login, refresh-token rotation, the current-principal endpoint, and session list/revoke.

On this page

Permissions & rolesAssignmentsCheck