Skip to main content

Permissions Reference

This page is auto-generated. Do not edit manually — run pnpm generate-permissions-page to regenerate.

Complete list of all IAM permission actions, grouped by module. Use these strings in the action field of a policy statement.

See IAM & Policies for how policies are evaluated.

Actors

PermissionDescription
actors:ListActorsList actors in a project
actors:CreateActorCreate a new actor
actors:GetActorGet an actor by ID
actors:UpdateActorUpdate an actor
actors:DeleteActorDelete an actor

Agents

PermissionDescription
agents:CreateAgentCreate a new agent
agents:ListAgentsList agents in a project
agents:GetAgentGet an agent by ID
agents:UpdateAgentUpdate an agent
agents:DeleteAgentDelete an agent
agents:CreateAgentGenerationRun a generation for an agent
agents:CreateAgentGenerationSubmit tool outputs to resume a paused generation

Ai Providers

PermissionDescription
ai-providers:ListAiProvidersList AI providers in a project
ai-providers:CreateAiProviderCreate an AI provider
ai-providers:GetAiProviderGet an AI provider by ID
ai-providers:UpdateAiProviderUpdate an AI provider
ai-providers:DeleteAiProviderDelete an AI provider
ai-providers:GetAiProviderPricesList per-provider price overrides for an AI provider
ai-providers:ManageAiProviderPricesUpsert per-provider price overrides for an AI provider

Api Keys

PermissionDescription
api-keys:ListApiKeysList API keys owned by the caller
api-keys:CreateApiKeyCreate a new API key
api-keys:GetApiKeyGet an API key by ID (owner only)
api-keys:UpdateApiKeyUpdate an API key's policy (owner only)
api-keys:DeleteApiKeyDelete an API key (owner only)

Chats

PermissionDescription
chats:CreateChatCreate a new chat
chats:ListChatsList chats in a project
chats:GetChatGet a chat by ID
chats:DeleteChatDelete a chat
chats:CreateChatCompletionForChatGenerate a chat completion within a stored chat
chats:CreateChatCompletionGenerate a stateless chat completion

Conversations

PermissionDescription
conversations:ListConversationsList conversations in a project
conversations:CreateConversationCreate a new conversation
conversations:GetConversationGet a conversation by ID
conversations:UpdateConversationUpdate a conversation's status
conversations:DeleteConversationDelete a conversation
conversations:GetConversationList messages in a conversation
conversations:UpdateConversationAdd a message to a conversation
conversations:UpdateConversationRemove a message from a conversation
conversations:GenerateConversationMessageGenerate the next message in a conversation

Discussions

PermissionDescription
discussions:ListDiscussionsList discussions in a project
discussions:CreateDiscussionCreate a new discussion
discussions:GetDiscussionGet a discussion by ID
discussions:UpdateDiscussionUpdate a discussion
discussions:DeleteDiscussionDelete a discussion
discussions:CreateDiscussionRunInvoke a discussion, creating a run
discussions:ListDiscussionRunsList the runs of a discussion
discussions:GetDiscussionRunGet a discussion run by ID

Documents

PermissionDescription
documents:ListDocumentsList documents in a project
documents:CreateDocumentCreate a new document
documents:GetDocumentGet a document by ID
documents:GetDocumentGet a document's lightweight ingestion status
documents:UpdateDocumentUpdate a document
documents:DeleteDocumentDelete a document
documents:IngestDocumentIngest a file (PDF or text) into a chunked document
documents:IngestDocumentRe-ingest an existing document from its source file

Resource Identifiers

PatternDescription
soat:{project_id}:document:{id}Specific document by ID
soat:{project_id}:document:{path}Document at a logical path
soat:{project_id}:document:/prefix/*All documents under a path prefix
soat:{project_id}:document:*All documents in a project

Embeddings

PermissionDescription
embeddings:CreateEmbeddingsGenerate text embeddings using the server's embedding model

Files

PermissionDescription
files:GetFileList files in a project
files:CreateFileCreate a metadata-only file record
files:UploadFileUpload a file (multipart)
files:UploadFileUpload a file (base64-encoded)
files:GetFileGet file metadata by ID
files:DownloadFileDownload file content
files:DownloadFileDownload file content as base64
files:UpdateFileMetadataUpdate file metadata
files:DeleteFileDelete a file

Resource Identifiers

PatternDescription
soat:{project_id}:file:{id}Specific file by ID
soat:{project_id}:file:/path/to/file.extFile at an exact logical path
soat:{project_id}:file:/prefix/*All files under a path prefix
soat:{project_id}:file:*All files in a project

Formations

PermissionDescription
formations:ValidateFormationValidate a formation template
formations:PlanFormationPlan a formation deployment
formations:CreateFormationCreate a new agent formation stack
formations:ListFormationsList formation stacks in a project
formations:GetFormationGet a formation stack by ID
formations:UpdateFormationUpdate a formation stack by applying a new template
formations:DeleteFormationDelete a formation stack and all its managed resources
formations:ListFormationEventsList operation events for a formation stack

Generations

PermissionDescription
generations:ListGenerationsList generations, optionally filtered by agent, trace, or status
generations:GetGenerationGet a generation record by ID

Ingestion Rules

PermissionDescription
ingestion-rules:ListIngestionRulesList ingestion rules in a project
ingestion-rules:CreateIngestionRuleCreate a new ingestion rule
ingestion-rules:GetIngestionRuleGet an ingestion rule by ID
ingestion-rules:UpdateIngestionRuleUpdate an ingestion rule
ingestion-rules:DeleteIngestionRuleDelete an ingestion rule

Knowledge

PermissionDescription
knowledge:SearchKnowledgeSearch across documents and knowledge sources

Memories

PermissionDescription
memories:ListMemoriesList memory configurations in a project
memories:CreateMemoryCreate a new memory configuration
memories:GetMemoryGet a memory configuration by ID
memories:UpdateMemoryUpdate a memory configuration
memories:DeleteMemoryDelete a memory configuration
memories:ListMemoryEntriesList entries in a memory
memories:CreateMemoryEntryCreate a new memory entry
memories:GetMemoryEntryGet a memory entry by ID
memories:UpdateMemoryEntryUpdate a memory entry
memories:DeleteMemoryEntryDelete a memory entry

Orchestrations

PermissionDescription
orchestrations:CreateOrchestrationCreate an orchestration
orchestrations:ValidateOrchestrationStatically validate an orchestration graph
orchestrations:ListOrchestrationsList orchestrations in a project
orchestrations:GetOrchestrationGet an orchestration by ID
orchestrations:UpdateOrchestrationUpdate an orchestration
orchestrations:DeleteOrchestrationDelete an orchestration
orchestrations:StartRunStart a new orchestration run
orchestrations:ListRunsList runs for an orchestration
orchestrations:GetRunGet an orchestration run by ID
orchestrations:CancelRunCancel a running or paused orchestration run
orchestrations:SubmitHumanInputSubmit human input to a paused orchestration run
orchestrations:ResumeRunResume a paused orchestration run from its last checkpoint

Policies

PermissionDescription
policies:ListPoliciesList all policies (admin only)
policies:CreatePolicyCreate a new policy (admin only)
policies:GetPolicyGet a policy by ID (admin only)
policies:UpdatePolicyUpdate a policy (admin only)
policies:DeletePolicyDelete a policy (admin only)

Projects

PermissionDescription
projects:CreateProjectCreate a new project (admin only)
projects:GetProjectGet a project by ID
projects:UpdateProjectRename a project (admin only)
projects:DeleteProjectDelete a project (admin only)
projects:GetProjectPricesList a project's per-provider-slug price rows
projects:ManageProjectPricesUpsert a project's per-provider-slug price rows

Secrets

PermissionDescription
secrets:ListSecretsList secrets in a project
secrets:CreateSecretCreate a new secret
secrets:GetSecretGet a secret by ID (value is never returned)
secrets:UpdateSecretUpdate a secret's value
secrets:DeleteSecretDelete a secret

Sessions

PermissionDescription
agents:CreateSessionCreate a new session for an agent
agents:ListSessionsList sessions
agents:GetSessionGet a session
agents:UpdateSessionUpdate session name, status, or tags
agents:DeleteSessionDelete a session
agents:SendSessionMessageSave a user message or trigger generation
agents:SendSessionMessageGenerate an assistant response in a session
agents:SubmitSessionToolOutputsSubmit tool outputs for client tools in a session

Tools

PermissionDescription
tools:CreateToolCreate a tool
tools:ListToolsList tools in a project
tools:GetToolGet a tool by ID
tools:UpdateToolUpdate a tool
tools:DeleteToolDelete a tool
tools:CallToolCall (invoke) a tool directly

Traces

PermissionDescription
traces:ListTracesList execution traces in a project
traces:GetTraceGet a trace by ID
traces:GetTraceTreeGet the full execution tree for a trace

Triggers

PermissionDescription
triggers:ListTriggersList triggers in a project
triggers:CreateTriggerCreate a new trigger
triggers:GetTriggerGet a trigger by ID
triggers:UpdateTriggerUpdate a trigger
triggers:DeleteTriggerDelete a trigger
triggers:FireTriggerFire a trigger manually
triggers:GetTriggerSecretRetrieve the signing secret for a webhook trigger
triggers:RotateTriggerSecretRotate the signing secret for a webhook trigger
triggers:ListTriggerFiringsList firings for a trigger
triggers:GetTriggerFiringGet details of a specific trigger firing

Usage

PermissionDescription
usage:ListUsageMetersList raw usage-meter rows, optionally filtered by agent or generation
usage:GetReceiptGet a billing receipt for a generation
usage:GetPriceBookRead the global price book
usage:ManagePriceBookUpsert price-book rows (admin only)

Users

PermissionDescription
users:ListUsersList all users
users:CreateUserCreate a new user
users:GetUserGet a user by ID
users:DeleteUserDelete a user
users:AttachUserPoliciesReplace the full set of policies attached to a user

Webhooks

PermissionDescription
webhooks:ListWebhooksList webhooks in a project
webhooks:CreateWebhookCreate a new webhook
webhooks:GetWebhookGet a webhook by ID
webhooks:UpdateWebhookUpdate a webhook
webhooks:DeleteWebhookDelete a webhook
webhooks:RotateWebhookSecretRotate the signing secret for a webhook
webhooks:GetWebhookSecretRetrieve the signing secret for a webhook
webhooks:ListWebhookDeliveriesList delivery attempts for a webhook
webhooks:GetWebhookDeliveryGet details of a specific webhook delivery