Planned feature : The endpoints described on this page are part of the planned API design and are not yet implemented in the current codebase.
The planned Roles API will allow you to create and manage custom roles with fine-grained permissions. Roles will define what actions users can perform within an organization.
Authentication All role endpoints require authentication using a JWT bearer token in the Authorization header:
Authorization: Bearer YOUR_JWT_TOKEN
Get roles This endpoint returns roles available within the specified organization. System-defined roles (owner, admin, member, viewer) are included along with any custom roles.
Retrieves a list of roles. You can filter and sort the results using query parameters.
Query parameters Organization ID to retrieve roles from (UUID)
The page number for pagination
Number of roles to return per page (maximum 100)
Field to sort by. Options: name, createdAt, updatedAt
Sort order. Options: asc, desc
Filter by role type. Options: system, custom
Search roles by name or description
Response Array of role objects Unique identifier for the role (UUID)
Role name (e.g., “admin”, “member”, “billing-manager”)
Description of the role’s purpose and permissions
Role type. Options: system (built-in, cannot be modified), custom (user-defined)
Organization this role belongs to (UUID)
Array of permission strings granted to this role Show Available permissions
View organization details
Update organization settings
View users in the organization
Remove users from the organization
View roles and permissions
Number of users assigned to this role
Whether this is the default role for new organization members
Custom metadata key-value pairs
ISO 8601 timestamp when the role was created
ISO 8601 timestamp when the role was last updated
Example request curl -X GET "https://api.orgstack.io/api/roles?organizationId=550e8400-e29b-41d4-a716-446655440000&page=1&limit=10" \ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \ -H "Content-Type: application/json"
Example response { "data" : [ { "id" : "a1b2c3d4-e5f6-4a5b-8c7d-9e0f1a2b3c4d" , "name" : "admin" , "displayName" : "Administrator" , "description" : "Full access to all organization resources and settings" , "type" : "system" , "organizationId" : "550e8400-e29b-41d4-a716-446655440000" , "permissions" : [ "organizations.read" , "organizations.update" , "users.read" , "users.create" , "users.update" , "users.delete" , "roles.read" , "roles.create" , "roles.update" , "roles.delete" , "roles.assign" ], "userCount" : 3 , "isDefault" : false , "metadata" : {}, "createdAt" : "2024-01-15T08:30:00.000Z" , "updatedAt" : "2024-01-15T08:30:00.000Z" }, { "id" : "b2c3d4e5-f6a7-5b6c-9d8e-0f1a2b3c4d5e" , "name" : "member" , "displayName" : "Member" , "description" : "Standard member with read and write access to most resources" , "type" : "system" , "organizationId" : "550e8400-e29b-41d4-a716-446655440000" , "permissions" : [ "organizations.read" , "users.read" , "roles.read" ], "userCount" : 15 , "isDefault" : true , "metadata" : {}, "createdAt" : "2024-01-15T08:30:00.000Z" , "updatedAt" : "2024-01-15T08:30:00.000Z" }, { "id" : "c3d4e5f6-a7b8-6c7d-0e9f-1a2b3c4d5e6f" , "name" : "billing-manager" , "displayName" : "Billing Manager" , "description" : "Manages billing, subscriptions, and payment methods" , "type" : "custom" , "organizationId" : "550e8400-e29b-41d4-a716-446655440000" , "permissions" : [ "organizations.read" , "billing.read" , "billing.update" , "subscriptions.read" , "subscriptions.update" , "invoices.read" ], "userCount" : 2 , "isDefault" : false , "metadata" : { "department" : "Finance" , "createdBy" : "[email protected]" }, "createdAt" : "2024-03-10T14:20:00.000Z" , "updatedAt" : "2024-03-10T14:20:00.000Z" } ], "pagination" : { "page" : 1 , "limit" : 10 , "total" : 3 , "totalPages" : 1 } }
{ "error" : { "code" : "UNAUTHORIZED" , "message" : "Invalid or missing authentication token" } }
{ "error" : { "code" : "FORBIDDEN" , "message" : "You do not have permission to view roles in this organization" } }
{ "error" : { "code" : "NOT_FOUND" , "message" : "Organization not found" } }
Create role Creating custom roles requires roles.create permission. System roles (owner, admin, member, viewer) cannot be created or modified. Only custom roles can be created and edited.
Creates a new custom role with specified permissions. Role names must be unique within an organization.
Request body Role name (3-50 characters, lowercase letters, numbers, and hyphens only)
Human-readable role name (2-100 characters)
Description of the role’s purpose (up to 500 characters)
Organization ID to create the role in (UUID)
Array of permission strings to grant to this role. Must include at least one permission. Show Available permissions
organizations.read - View organization detailsorganizations.update - Update organization settingsorganizations.delete - Delete the organizationusers.read - View usersusers.create - Create usersusers.update - Update usersusers.delete - Delete usersroles.read - View rolesroles.create - Create rolesroles.update - Update rolesroles.delete - Delete rolesroles.assign - Assign roles to usersbilling.read - View billing informationbilling.update - Update billing settingssubscriptions.read - View subscriptionssubscriptions.update - Manage subscriptionsinvoices.read - View invoicesapi-keys.read - View API keysapi-keys.create - Create API keysapi-keys.delete - Delete API keys Whether this should be the default role for new members. Only one role can be default per organization.
Custom metadata as key-value pairs (optional)
Response Returns the created role object with all fields populated, including generated id, createdAt, and updatedAt timestamps.
Unique identifier for the role (UUID)
Role type (always custom for created roles)
Array of granted permissions
Number of users with this role (0 for new roles)
Whether this is the default role
ISO 8601 timestamp when created
ISO 8601 timestamp when last updated
Example request curl -X POST "https://api.orgstack.io/api/roles" \ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \ -H "Content-Type: application/json" \ -d '{ "name": "content-editor", "displayName": "Content Editor", "description": "Can create and edit content but cannot publish or delete", "organizationId": "550e8400-e29b-41d4-a716-446655440000", "permissions": [ "organizations.read", "content.read", "content.create", "content.update", "media.read", "media.upload" ], "isDefault": false, "metadata": { "department": "Marketing", "accessLevel": "standard" } }'
Example response { "id" : "d4e5f6a7-b8c9-7d8e-1f0a-2b3c4d5e6f7a" , "name" : "content-editor" , "displayName" : "Content Editor" , "description" : "Can create and edit content but cannot publish or delete" , "type" : "custom" , "organizationId" : "550e8400-e29b-41d4-a716-446655440000" , "permissions" : [ "organizations.read" , "content.read" , "content.create" , "content.update" , "media.read" , "media.upload" ], "userCount" : 0 , "isDefault" : false , "metadata" : { "department" : "Marketing" , "accessLevel" : "standard" }, "createdAt" : "2026-03-01T10:30:00.000Z" , "updatedAt" : "2026-03-01T10:30:00.000Z" }
{ "error" : { "code" : "VALIDATION_ERROR" , "message" : "Invalid request body" , "details" : [ { "field" : "permissions" , "message" : "At least one permission is required" }, { "field" : "name" , "message" : "Role name must contain only lowercase letters, numbers, and hyphens" } ] } }
{ "error" : { "code" : "UNAUTHORIZED" , "message" : "Invalid or missing authentication token" } }
{ "error" : { "code" : "FORBIDDEN" , "message" : "You do not have permission to create roles in this organization" } }
{ "error" : { "code" : "NOT_FOUND" , "message" : "Organization not found" } }
{ "error" : { "code" : "CONFLICT" , "message" : "A role with this name already exists in the organization" } }
Permission hierarchy Permissions follow a hierarchical structure. Some permissions implicitly grant related permissions:
organizations.delete includes organizations.update and organizations.readusers.delete includes users.update and users.readroles.assign includes roles.read When designing custom roles, consider the minimum permissions needed for the role’s purpose. Error codes The Roles API may return the following error codes:
Code Description UNAUTHORIZEDMissing or invalid authentication token FORBIDDENInsufficient permissions to perform the action VALIDATION_ERRORRequest body validation failed CONFLICTResource conflict (e.g., duplicate role name) NOT_FOUNDRole or organization not found RATE_LIMIT_EXCEEDEDToo many requests, please retry later INTERNAL_ERRORUnexpected server error