Skip to content

Roles & Permissions API

Role-based access control with system roles and custom role support. Forgexa has roles at two levels: organization and workspace.

Organization Roles

RoleDescription
ownerFull control including ownership transfer and deletion. One per org.
adminManage members, invitations, integrations, budgets, audit logs, templates.
memberView org data, access workspaces, create workspaces.

Organization admins automatically have admin-level access to all workspaces within the organization.

Workspace Roles (System)

RoleDescription
ownerFull control including ownership transfer
adminWorkspace/project management, member management
developerCreate/execute work items, review gates
viewerRead-only access

Permission Matrix

Get the full permission matrix for all system roles.

http
GET /api/v1/permissions/matrix
Authorization: Bearer <token>

Response 200 OK

json
{
  "permissions": [
    "project:read",
    "project:create",
    "requirement:read",
    "execution:execute",
    "gate:review",
    "deployment:trigger"
  ],
  "descriptions": {
    "project:read": "View projects and their settings",
    "execution:execute": "Start new execution pipelines",
    "gate:review": "Submit gate reviews (approve/reject)"
  },
  "roles": {
    "viewer": ["project:read", "requirement:read", "execution:read"],
    "developer": ["project:read", "requirement:create", "execution:execute", "gate:review"],
    "admin": ["project:create", "project:update", "deployment:trigger"],
    "owner": ["project:delete", "workspace:settings"]
  }
}

Custom Roles

List Roles

Returns both system roles and workspace-scoped custom roles.

http
GET /api/v1/workspaces/{workspace_id}/roles
Authorization: Bearer <token>

Create Custom Role

Requires admin role.

http
POST /api/v1/workspaces/{workspace_id}/roles
Authorization: Bearer <token>
Content-Type: application/json

{
  "name": "QA Lead",
  "description": "Can review gates and manage QA suites",
  "permissions": [
    "project:read",
    "requirement:read",
    "execution:read",
    "gate:read",
    "gate:review",
    "qa:read",
    "qa:execute",
    "qa:manage"
  ]
}

Update Custom Role

http
PUT /api/v1/workspaces/{workspace_id}/roles/{role_id}
Authorization: Bearer <token>

System roles cannot be modified.

Delete Custom Role

http
DELETE /api/v1/workspaces/{workspace_id}/roles/{role_id}
Authorization: Bearer <token>

System roles cannot be deleted.

Forgexa — AI Software Factory