Management API permissions control what users assigned to a role can see in the Hygraph UI, and what actions Permanent Auth Tokens (PATs) can perform through the Management API. The same set of permissions is available for both custom roles and Permanent Auth Tokens (PATs), but their defaults and behaviors differ.
There are two types of Management API permissions:
- View permissions control UI visibility. Granting or revoking these shows or hides buttons, tabs, and sections in the interface for users assigned to that role. For example, the
Create new entries permission controls whether the + Add entry button appears in the content editor. It does not grant the ability to create entries through the API.
- Action permissions control what can be done via the Management API, such as creating models, updating fields, or managing webhooks.
This distinction is especially important for PATs. Granting a UI-only permission to a token has no effect, since tokens do not interact with the UI. Content creation through the API requires the appropriate Content API permissions, not Management API permissions.
Management API permissions are global. They apply across all environments in a project.
#Roles vs PATs: a key distinction
Understanding how Management API permissions behave differently for roles and PATs will save you a lot of confusion when configuring access.
-
Roles - Management API permissions primarily control UI visibility. Granting a permission shows a button, tab, or section to users assigned to that role. Revoking it hides it. If a user lacks a permission, the effect is visible in the interface. They may not see a button, get an error when accessing a restricted area, or in some cases be logged out.
- Defaults cover the read permissions needed to navigate the Hygraph UI correctly. Anything beyond that must be added manually.
-
PATs - Management API permissions control API access. If a token lacks a permission, the API call fails with an insufficient permissions error. There is no UI involved.
- Defaults cover
create and read permissions suited for programmatic API access.
This distinction matters because some permissions are UI-only. They control what users see in the Hygraph interface but have no effect on what a PAT can do programmatically. The most common example is Create new entries, which shows or hides the + Add entry button in the content editor. Granting this to a PAT does nothing, because PATs do not interact with the UI and content creation is handled by the Content API, not the Management API.
Permissions marked as UI-only in the tables below have no effect on PAT behavior. For PATs, content operations such as creating, updating, publishing, and deleting entries should be configured under the token's content API permissions.
#How they differ from content permissions
Content permissions govern access to your project's content entries (read, create, update, delete, publish, unpublish). Management API permissions govern access to your project's structural and configuration elements, such as schema, environments, roles, webhooks, and so on.
#Roles
Hygraph provides five system roles, Owner, Admin, Developer, Editor, and Contributor, each with a predefined permission set that reflects its responsibilities. For example, an Editor cannot access the API Playground, while an Admin or Developer can.
Every custom role is assigned a set of default Management API permissions on creation. These defaults cover the minimum needed to use the Hygraph UI correctly. All additional permissions can be added manually depending on what the role needs to do.
Note that granting a role additional Management API permissions controls UI visibility only. If users also have Content API permissions granting a particular action, they can still perform that action via the API even if the corresponding UI button is hidden. You can grant a role full content permissions while using Management API permissions to hide specific actions in the UI. Users assigned that role can still perform those actions by calling the API directly.
Content and Assets tabs in Studio are governed by the following Management API permissions:
- Content: Read public view groups and Read public content views (not in defaults). Sidebar views also need Read on DRAFT per model via content permissions.
- Assets: Read public view groups and Read public content views + Read content permission on the Asset model. Assets does not appear without access to the Content tab.
- Tables / entries: Content permissions per model and stage.
#Roles - Project & Studio access
| Permission name | Role description | Custom role default |
|---|
| Change the name, picture and description of a project | Allows users to edit project details in Project Settings > General > Project. Without this permission, the section is visible but read-only and grayed out. | No |
| Can use the playground | Without this permission, users cannot see the API Playground in the top-level menu, or the Preview in playground option in the content editor and Assets. | No |
| Read audit logs | Without this permission, users cannot see the Audit logs tab in Project Settings. | No |
| Can see Team Member Settings | Without this permission, the user cannot see the Members tab in Project Settings > Team. | No |
| Can see Role & Permissions Settings | Without this permission, the user cannot see the Roles menu in project settings. | No |
| Can see schema view | Allows the user to see the schema editor. Deselect to hide the schema view for roles where it is not relevant. | No |
| Can see project settings | Without this permission, users cannot see Project Settings in the Studio sidebar or open project settings screens. | Yes |
| Can see environment selector | Without this permission, users cannot see the environment selector in Studio. | Yes |
#Roles - Models, components, fields
| Permission name | Role description | Custom role default |
|---|
| Create new models | Without this permission, a user with Can see schema view can access the schema editor but cannot use the + Add button to create new models. | Yes |
| Read existing models | Without this permission, a user with Can see schema view can access the schema editor but cannot see models in it. | Yes |
| Update existing models | Grants users the ability to edit the Settings tab of models. Users also need permission to read the schema and models. | No |
| Delete existing models | Without this permission, the user cannot see the Delete option for models. | No |
| Create new components | Without this permission, a user with Can see schema view can access the schema editor but cannot use the + Add button to create new components. | Yes |
| Read existing components | Without this permission, a user with Can see schema view can access the schema editor but cannot see components in it. | Yes |
| Update existing components | Grants users the ability to edit the Settings tab of components in the schema editor. Requires Can see schema view, Read existing components, and other read access as needed. Controls schema-level component metadata only. | No |
| Delete existing components | Without this permission, the user cannot see the Delete option in a component's context menu. | No |
| Read existing fields | Without this permission, the user cannot see or access the Fields tab in the UI. | Yes |
| Create new fields | Without this permission, the user cannot see the Fields side panel in the schema editor. | Yes |
| Update existing fields | Allows users to see the Edit button on field cards in models and edit field details. Users must also have permission to read the schema and models. Without this permission, the Edit field button is hidden and the drag-and-drop anchor is not displayed. | No |
| Delete existing fields | Allows users to delete fields from a model in the schema editor. Users must also have permission to read the schema and models. | No |
#Roles - Enumerations
| Permission name | Role description | Custom role default |
|---|
| Read existing enumerations | Without this permission, a user with Can see schema view can access the schema editor but cannot see enumerations in it. | Yes |
| Create new enumerations | Without this permission, a user with Can see schema view can access the schema editor but cannot use the + Add button to create new enumerations. | Yes |
| Update existing enumerations | Grants users the ability to edit enumeration details. Users also need permission to read the schema and enumerations. | No |
| Delete existing enumerations | Without this permission, the Delete option is hidden in the enumeration details context menu. | No |
#Roles - Taxonomies
| Permission name | Role description | Custom role default |
|---|
| Read taxonomy | With Can see schema view, required to open taxonomies and view taxonomy details (including the Settings tab). Without it, users cannot access taxonomy definition screens in the schema area. | Yes |
| Create taxonomy | Without this permission, users with Can see schema view cannot create new taxonomies. Opening existing taxonomies depends on Read taxonomy and schema access. Creating a taxonomy typically also requires Create taxonomy node for + Add flows. | Yes |
| Update taxonomy | Without this permission, the taxonomy Settings page is read-only. | No |
| Delete taxonomy | Without this permission, the Delete option is hidden in the taxonomy details context menu. | No |
| Read taxonomy node | With Can see schema view, required to browse taxonomy Nodes and view node-related detail. Without it, exploring taxonomy nodes is not available. | Yes |
| Create taxonomy node | Allows users to use + Add child node (or equivalent). Together with Create taxonomy, enables + Add to create a taxonomy where the UI exposes it. | Yes |
| Update taxonomy node | Allows users to add new child nodes, rename nodes, or move nodes to a different parent. Without this permission, users can only view taxonomy node details. | No |
| Delete taxonomy node | Without this permission, the Delete option is hidden next to the taxonomy node. | No |
#Roles - Remote sources
| Permission name | Role description | Custom role default |
|---|
| Read remote sources | Without this permission, a user with Can see schema view can access the schema editor but cannot see remote sources in it. | Yes |
| Create remote sources | Without this permission, a user with Can see schema view can access the schema editor but cannot use the + Add flow to create new remote sources. | Yes |
| Update remote sources | Grants users the ability to edit the Settings tab of remote sources. Without this permission, the Save button is hidden on the remote source settings screen. | No |
| Delete remote sources | Without this permission, users cannot see the Delete option for remote sources. | No |
#Roles - Content views
| Permission name | Role description | Custom role default |
|---|
| Create public content views | Without this permission, the Add custom view button is hidden. | No |
| Read public content views | Required together with Read public view groups to access the Content tab in Studio. To see views listed in the sidebar, assign Read content permissions on the DRAFT stage on models. For Assets, also grant Read on the Asset model via content permissions. | No |
| Update public content views | Without this permission, the user cannot see the Edit custom view option in the custom view context menu. | No |
| Update system content views | Without this permission, the user cannot see the Update default view option in the content editor and Assets. | No |
| Delete public content views | Without this permission, the Delete custom view option is hidden in the custom view context menu. | No |
#Roles - View groups
| Permission name | Role description | Custom role default |
|---|
| Create public view groups | Grants users the ability to create view groups. | No |
| Read public view groups | Required together with Read public content views to access the Content tab in Studio. To see views listed in the sidebar, assign Read content permissions on the DRAFT stage on models. For Assets, also grant Read on the Asset model via content permissions. | No |
| Update public view groups | Without this permission, view groups cannot be updated. | No |
| Delete public view groups | Without this permission, users will be logged out when attempting to delete a public view group. | No |
#Roles - Locales & stages
| Permission name | Role description | Custom role default |
|---|
| Read locales | Without this permission, users receive an error when trying to access locale information. | Yes |
| Create locales | Without this permission, users cannot use the Add button in Project Settings > General > Locales. | No |
| Update locales | Without this permission, locales in Project Settings > General > Locales are read-only and grayed out. | No |
| Delete locales | Without this permission, the Delete button is hidden in Project Settings > General > Locales. | No |
| Read stages | Required to access content stage information. | Yes |
| Create stages | Allows users to see the + Add stage button in Project Settings > General > Content Stages. | No |
| Update stages | Without this permission, the user cannot see the Content stages option in project settings. | No |
| Delete stages | Without this permission, clicking Delete in Project Settings > General > Content Stages throws an error. | No |
#Roles - Environments
| Permission name | Role description | Custom role default |
|---|
| Read existing environments | Without this permission, users cannot access the project and will receive an error when attempting to log in. | Yes |
| Create new environment | Without this permission, the Clone button in Project Settings > General > Environments is disabled. | No |
| Update an existing environment | Grants the ability to edit environments through the Management API and related Studio controls. | No |
| Delete an existing environment | Without this permission, the Delete option in Project Settings > General > Environments is disabled. | No |
| Promote an existing environment | Without this permission, the Promote to master button in Project Settings > General > Environments is disabled. | No |
#Roles - Environment backups
| Permission name | Role description | Custom role default |
|---|
| Create new environment backup | Allows creating a new environment backup. | No |
| Read existing environment backups and their details | Allows reading existing environment backups and their details. | No |
| Update an existing environment backup | Allows updating an existing environment backup. | No |
| Delete an existing environment backup | Allows deleting an existing environment backup. | No |
| Restore an existing environment backup to a standard environment | Allows restoring an existing environment backup to a standard environment. | No |
#Roles - Content freeze
| Permission name | Role description | Custom role default |
|---|
| Allows starting, scheduling, and lifting content freezes | Without this permission, users cannot access Project Settings > Governance > Content Freeze, use the Manage freeze link in the Studio banner, or start, schedule, or lift content freezes. | No |
#Roles - Content permission administration
Management permissions that control whether a user can manage content permission rows in Settings (not document Read/Create itself).
| Permission name | Role description | Custom role default |
|---|
| Can create content permissions | Without this permission, users cannot see the Add permission option in the Public Content API, roles, and PATs sections of project settings. | No |
| Can read content permissions | Without this permission, the user cannot see the Content permissions block for roles and PATs in project settings. | No |
| Can update content permissions | Without this permission, users cannot see the Edit option for content permissions in the Public Content API, roles, and PATs sections of project settings. | No |
| Can delete content permissions | Without this permission, users cannot see the Delete option for content permissions in the Public Content API, roles, and PATs sections of project settings. | No |
#Roles - Permanent auth tokens
| Permission name | Role description | Custom role default |
|---|
| Can create new permanent auth tokens | Without this permission, the + Add Token button is hidden on Permanent Auth Tokens in Project Settings. | No |
| Can read existing permanent auth tokens | Allows users to see the Access section in Project Settings. For the API Playground, grant with Can use the playground. | No |
| Can update existing permanent auth tokens | Without this permission, the Edit option is hidden in the PAT context menu in Project Settings > Access. | No |
| Can delete existing permanent auth tokens | Without this permission, the Delete option is hidden in the PAT context menu in Project Settings > Access. | No |
#Roles - Webhooks
| Permission name | Role description | Custom role default |
|---|
| Create new webhooks | Without this permission, the user cannot see the + Add webhook button. | No |
| Read existing webhooks | Without this permission, the user cannot see the Webhooks tab in the main navigation. | No |
| Update existing webhooks | Without this permission, the user cannot see the Edit button for webhooks. | No |
| Delete an existing webhook | Without this permission, the user cannot see the Delete option for webhooks. | No |
#Roles - Workflows
| Permission name | Role description | Custom role default |
|---|
| Read workflow | Required to access workflow information through the Management API and workflow-related UI context. | Yes |
| Create a new workflow | Allows creating a new workflow. | No |
| Update a workflow | Allows updating an existing workflow. | No |
| Delete a workflow | Allows deleting an existing workflow. | No |
| Create a new workflow step | Allows creating a new workflow step. | No |
| Update a workflow step | Allows updating an existing workflow step. | No |
| Delete a workflow step | Allows deleting an existing workflow step. | No |
#Roles - Users & team
| Permission name | Role description | Custom role default |
|---|
| Invite a user into an existing project | Without this permission, the user cannot see the Invite members button in Project Settings > Team > Members. | No |
| Assign a role to a user | Without this permission, the user cannot see the Assign role option in Project Settings > Team > Members. | No |
| Remove a user from an existing project | Grants users the ability to see the Remove option for users. Also required to delete agents via AI Hub → Agents. | No |
#Roles - User roles
| Permission name | Role description | Custom role default |
|---|
| Create new roles | Without this permission, the user cannot see the option to add a custom role in the UI. | No |
| Update existing roles | Without this permission, the user can open all existing roles, but all update-related buttons are hidden and they will receive an error when attempting to edit content permissions. | No |
| Delete an existing role | Without this permission, the user cannot see the Delete option for custom roles. | No |
#Roles - Experimental, AI, usage
| Permission name | Role description | Custom role default |
|---|
| Allows managing experimental features and their role assignments | Allows managing experimental features. | No |
| Create AI guidelines | Allows creating a new AI guideline. | No |
| Read AI guidelines | Allows reading existing AI guidelines. | No |
| Update AI guidelines | Allows updating an existing AI guideline. | No |
| Delete AI guidelines | Allows deleting an existing AI guideline. | No |
| Read observability data | Allows reading observability data. | No |
#Roles - Agents
Invite a new agent, Remove an agent, and Delete an agent config appear in Roles & Permissions but have no effect today. You can leave them disabled.
To delete an agent, use Delete on the agent card in AI Hub → Agents. This requires the Remove a user from an existing project permission.
| Permission name | Role description | Custom role default |
|---|
| Create a new agent config | Without this permission, users cannot use + Add agent in AI Hub → Agents. | No |
| Read agent config | Without this permission, users cannot open AI Hub → Agents or agent KPIs when the agents feature is enabled. | No |
| Update an agent config | Without this permission, users cannot edit or enable/disable agents in AI Hub → Agents. | No |
| Trigger an agent run | Without this permission, users cannot manually trigger agents from the content editor or content table. Does not apply to PATs or workflow-triggered runs. | No |
#Roles - Integrations & extensions
| Permission name | Role description | Custom role default |
|---|
| Can add new integrations to an existing project | Allows creating a new integration. | No |
| Can see existing integrations in an existing project | Allows reading existing integrations. | No |
| Can update existing integrations in an existing project | Allows updating an existing integration. | No |
| Can delete existing integrations in an existing project | Allows deleting an existing integration. | No |
| Can trigger a netlify build for an existing integration | Allows triggering a build for a Netlify integration. | No |
| Can add new extension to an existing project | Allows creating a new extension. | No |
| Can see existing extensions in an existing project | Allows reading existing extensions. | No |
| Can update existing extensions in an existing project | Allows updating an existing extension. | No |
| Can delete existing extensions in an existing project | Allows deleting an existing extension. | No |
#Roles - App installations
| Permission name | Role description | Custom role default |
|---|
| Can add app installations | Without this permission, the Explore apps banner is hidden in the Apps section. Projects where this permission is not granted do not appear in the project selector dropdown for new app installations. | No |
| Can update app installations | Grants the ability to see the Edit button on app cards. | No |
| Can delete app installations | Without this permission, the user cannot see the Uninstall option in the app card context menu. | No |
#Roles - Legacy Management API content permissions
#Permanent Auth Tokens
PATs interact with the Management API programmatically. When you initialize default permissions for a new PAT, those defaults cover the common schema read and create operations needed to work with the Management SDK. If you need to update or delete schema elements, add those permissions manually.
UI-only permissions have no effect on PATs. Tokens do not interact with the Hygraph interface, so granting a UI-only permission to a token changes nothing. Content creation through the API requires the appropriate Content API permissions, not Management API permissions. If you need a token to create content, configure the appropriate content API permissions instead.
#PATs - Project & studio access
| Permission name | Action | Description | PAT default |
|---|
| Change the name, picture and description of a project | PROJECT_UPDATE | Required for project metadata mutations (name, picture, description). | No |
| Can use the playground | PLAYGROUND_USE | Studio-only for members with a role; not used to authorize typical PAT Management API traffic. | No |
| Read audit logs | AUDIT_LOGS_READ | Studio-only for members with a role; not used to authorize typical PAT Management API traffic. | No |
| Can see Team Member Settings | VIEW_TEAM_MEMBER_SETTINGS | Studio-only for members with a role; not used to authorize typical PAT Management API traffic. | No |
| Can see Role & Permissions Settings | VIEW_ROLE_PERMISSION_SETTINGS | Studio-only for members with a role; not used to authorize typical PAT Management API traffic. | No |
| Can see schema view | VIEW_SCHEMA | Studio-only for members with a role; not used to authorize typical PAT Management API traffic. | No |
| Can see project settings | VIEW_PROJECT_SETTINGS | Studio-only for members with a role; not used to authorize typical PAT Management API traffic. Included in PAT Initialize defaults. | Yes |
| Can see environment selector | VIEW_ENVIRONMENT_SELECTOR | Studio-only for members with a role; not used to authorize typical PAT Management API traffic. | No |
#PATs - Models, components, fields
| Permission name | Action | Description | PAT default |
|---|
| Create new models | MODEL_CREATE | Required for model-creation mutations (for example createModel, createSimpleModel). | Yes |
| Read existing models | MODEL_READ | Required to read models and for most schema mutations that reference existing models. | Yes |
| Update existing models | MODEL_UPDATE | Required for model update mutations. | No |
| Delete existing models | MODEL_DELETE | Required for model deletion mutations. | No |
| Create new components | COMPONENT_CREATE | Required for component-creation mutations. | Yes |
| Read existing components | COMPONENT_READ | Required to read components and for component-related schema operations. | Yes |
| Update existing components | COMPONENT_UPDATE | Required for component update mutations (schema components, not content entries). | No |
| Delete existing components | COMPONENT_DELETE | Required for component deletion mutations. | No |
| Read existing fields | FIELD_READ | Required to read fields and for field-related schema operations. | Yes |
| Create new fields | FIELD_CREATE | Required for field-creation mutations on models and components. | Yes |
| Update existing fields | FIELD_UPDATE | Required for field update mutations. | No |
| Delete existing fields | FIELD_DELETE | Required for field deletion mutations. | No |
#PATs - Enumerations
| Permission name | Action | Description | PAT default |
|---|
| Read existing enumerations | ENUMERATION_READ | Required to read enumerations and for enumeration-related schema operations. | Yes |
| Create new enumerations | ENUMERATION_CREATE | Required for enumeration-creation mutations. | Yes |
| Update existing enumerations | ENUMERATION_UPDATE | Required for enumeration update mutations. | No |
| Delete existing enumerations | ENUMERATION_DELETE | Required for enumeration deletion mutations. | No |
#PATs - Taxonomies
| Permission name | Action | Description | PAT default |
|---|
| Read taxonomy | TAXONOMY_READ | Required for taxonomy queries and taxonomy-related mutations. Not included in PAT Initialize defaults. | No |
| Create taxonomy | TAXONOMY_CREATE | Required for taxonomy creation mutations. | No |
| Update taxonomy | TAXONOMY_UPDATE | Required for taxonomy update mutations. | No |
| Delete taxonomy | TAXONOMY_DELETE | Required for taxonomy deletion mutations. | No |
| Read taxonomy node | TAXONOMY_NODE_READ | Required for taxonomy node queries and node-related mutations. | No |
| Create taxonomy node | TAXONOMY_NODE_CREATE | Required for taxonomy node creation mutations. | No |
| Update taxonomy node | TAXONOMY_NODE_UPDATE | Required for taxonomy node update mutations. | No |
| Delete taxonomy node | TAXONOMY_NODE_DELETE | Required for taxonomy node deletion mutations. | No |
#PATs - Remote sources
| Permission name | Action | Description | PAT default |
|---|
| Read remote sources | REMOTE_SOURCE_READ | Required to read remote sources and for remote-source-related schema operations. | Yes |
| Create remote sources | REMOTE_SOURCE_CREATE | Required for remote-source-creation mutations. | Yes |
| Update remote sources | REMOTE_SOURCE_UPDATE | Required for remote source update mutations. | No |
| Delete remote sources | REMOTE_SOURCE_DELETE | Required for remote source deletion mutations. | No |
#PATs - Content views
| Permission name | Action | Description | PAT default |
|---|
| Create public content views | CONTENTVIEW_CREATE | Required for custom content-view creation mutations. | No |
| Read public content views | CONTENTVIEW_READ | Required to read content views (environment.contentView, environment.contentViews). | No |
| Update public content views | CONTENTVIEW_UPDATE | Required to update custom content views. | No |
| Update system content views | CONTENTVIEW_SYSTEM_UPDATE | Required to update system / default content views. | No |
| Delete public content views | CONTENTVIEW_DELETE | Required to delete custom content views. | No |
#PATs - View groups
| Permission name | Action | Description | PAT default |
|---|
| Create public view groups | VIEW_GROUP_CREATE | Required for view-group creation mutations. | No |
| Read public view groups | VIEW_GROUP_READ | Required to read view groups (environment.viewGroups and related fields). | No |
| Update public view groups | VIEW_GROUP_UPDATE | Required for view-group update mutations. | No |
| Delete public view groups | VIEW_GROUP_DELETE | Required for view-group deletion mutations. | No |
#PATs - Locales & stages
| Permission name | Action | Description | PAT default |
|---|
| Read locales | LOCALE_READ | Required for locale queries and locale-dependent Management API operations. | Yes |
| Create locales | LOCALE_CREATE | Required for locale creation mutations. | No |
| Update locales | LOCALE_UPDATE | Required for locale update mutations. | No |
| Delete locales | LOCALE_DELETE | Required for locale deletion mutations. | No |
| Read stages | STAGE_READ | Required for stage queries and content-stage configuration via the Management API. | Yes |
| Create stages | STAGE_CREATE | Required for content-stage creation mutations. | No |
| Update stages | STAGE_UPDATE | Required for content-stage update mutations. | No |
| Delete stages | STAGE_DELETE | Required for content-stage deletion mutations. | No |
#PATs - Environments
| Permission name | Action | Description | PAT default |
|---|
| Read existing environments | ENVIRONMENT_READ | Required for environment-scoped queries and mutations for the PAT's environment. | Yes |
| Create new environment | ENVIRONMENT_CREATE | Required for environment clone/create mutations. | No |
| Update an existing environment | ENVIRONMENT_UPDATE | Required for environment update mutations. | No |
| Delete an existing environment | ENVIRONMENT_DELETE | Required for environment deletion mutations. | No |
| Promote an existing environment | ENVIRONMENT_PROMOTE | Required for promote-to-master (and similar promote) mutations. Restoring from backup uses ENVIRONMENT_BACKUP_RESTORE, not this action. | No |
#PATs - Environment backups
| Permission name | Action | Description | PAT default |
|---|
| Create new environment backup | ENVIRONMENT_BACKUP_CREATE | Required for environment backup creation mutations. | No |
| Read existing environment backups and their details | ENVIRONMENT_BACKUP_READ | Required to query environment backups and their metadata. | No |
| Update an existing environment backup | ENVIRONMENT_BACKUP_UPDATE | Required for environment backup update mutations. | No |
| Delete an existing environment backup | ENVIRONMENT_BACKUP_DELETE | Required for environment backup deletion mutations. | No |
| Restore an existing environment backup to a standard environment | ENVIRONMENT_BACKUP_RESTORE | Required to restore a backup into a standard environment. | No |
#PATs - Content freeze
| Permission name | Action | Description | PAT default |
|---|
| Allows starting, scheduling, and lifting content freezes | MANAGE_CONTENT_FREEZE | Required for startContentFreeze and liftContentFreeze mutations. | No |
#PATs - Content permission administration
| Permission name | Action | Description | PAT default |
|---|
| Can create content permissions | CONTENT_PERMISSION_CREATE | Required to create content-permission rows (roles, PATs, or public Content API target) via the Management API. | No |
| Can read content permissions | CONTENT_PERMISSION_READ | Required to read content-permission configuration via the Management API. | No |
| Can update content permissions | CONTENT_PERMISSION_UPDATE | Required to update content-permission rows via the Management API. | No |
| Can delete content permissions | CONTENT_PERMISSION_DELETE | Required to delete content-permission rows via the Management API. | No |
#PATs - Permanent auth tokens
| Permission name | Action | Description | PAT default |
|---|
| Can create new permanent auth tokens | PAT_CREATE | Required for PAT creation mutations. Usually granted on a custom role for admins; grant on a PAT only when automation manages other PATs. | No |
| Can read existing permanent auth tokens | PAT_READ | Required for PAT read/list operations. Usually granted on a custom role for admins. | No |
| Can update existing permanent auth tokens | PAT_UPDATE | Required for PAT update mutations. Usually granted on a custom role for admins. | No |
| Can delete existing permanent auth tokens | PAT_DELETE | Required for PAT deletion mutations. Usually granted on a custom role for admins. | No |
#PATs - Webhooks
| Permission name | Action | Description | PAT default |
|---|
| Create new webhooks | WEBHOOK_CREATE | Required for webhook creation mutations. | No |
| Read existing webhooks | WEBHOOK_READ | Required for webhook queries. Studio navigation is controlled by custom roles. | No |
| Update existing webhooks | WEBHOOK_UPDATE | Required for webhook update mutations. | No |
| Delete an existing webhook | WEBHOOK_DELETE | Required for webhook deletion mutations. | No |
#PATs - Workflows
| Permission name | Action | Description | PAT default |
|---|
| Read workflow | WORKFLOW_READ | Required for workflow queries and workflow-related Management API operations. | Yes |
| Create a new workflow | WORKFLOW_CREATE | Required for workflow creation mutations. | No |
| Update a workflow | WORKFLOW_UPDATE | Required for workflow update mutations. | No |
| Delete a workflow | WORKFLOW_DELETE | Required for workflow deletion mutations. | No |
| Create a new workflow step | WORKFLOW_STEP_CREATE | Required for workflow step creation mutations. | No |
| Update a workflow step | WORKFLOW_STEP_UPDATE | Required for workflow step update mutations. | No |
| Delete a workflow step | WORKFLOW_STEP_DELETE | Required for workflow step deletion mutations. | No |
#PATs - Users & team
| Permission name | Action | Description | PAT default |
|---|
| Invite a user into an existing project | USER_INVITE | Required for project member invite mutations. Studio UI is controlled by custom roles. | No |
| Assign a role to a user | USER_ASSIGNROLE | Required for role-assignment mutations on project members. | No |
| Remove a user from an existing project | USER_REMOVE | Required for removing members from a project via the Management API. Also required for deleteAgent mutations. | No |
#PATs - User roles
| Permission name | Action | Description | PAT default |
|---|
| Create new roles | ROLE_CREATE | Required for custom role creation mutations. Studio UI is controlled by custom roles. | No |
| Update existing roles | ROLE_UPDATE | Required for role update mutations (including management and content permissions on roles). | No |
| Delete an existing role | ROLE_DELETE | Required for custom role deletion mutations. | No |
#PATs - Experimental, AI, usage
| Permission name | Action | Description | PAT default |
|---|
| Allows managing experimental features and their role assignments | MANAGE_EXPERIMENTAL_FEATURES | Required for experimental-feature management mutations. | No |
| Create AI guidelines | AI_GUIDELINE_CREATE | Required for AI guideline creation mutations. | No |
| Read AI guidelines | AI_GUIDELINE_READ | Required for AI guideline queries. | No |
| Update AI guidelines | AI_GUIDELINE_UPDATE | Required for AI guideline update mutations. | No |
| Delete AI guidelines | AI_GUIDELINE_DELETE | Required for AI guideline deletion mutations. | No |
| Read observability data | OBSERVABILITY_READ | Required for observability read operations exposed by the Management API. | No |
#PATs - Agents
Invite a new agent, Remove an agent, Delete an agent config, and Trigger an agent run can be assigned to a PAT but have no effect on Management API access today.
| Permission name | Action | Description | PAT default |
|---|
| Create a new agent config | AGENT_CONFIG_CREATE | Required for createAgent mutations. | No |
| Read agent config | AGENT_CONFIG_READ | Required for agent configuration queries. | No |
| Update an agent config | AGENT_CONFIG_UPDATE | Required for updateAgent mutations. | No |
#PATs - Integrations & extensions
| Permission name | Action | Description | PAT default |
|---|
| Can add new integrations to an existing project | INTEGRATION_CREATE | Required for integration creation mutations. | No |
| Can see existing integrations in an existing project | INTEGRATION_READ | Required for integration queries. | No |
| Can update existing integrations in an existing project | INTEGRATION_UPDATE | Required for integration update mutations. | No |
| Can delete existing integrations in an existing project | INTEGRATION_DELETE | Required for integration deletion mutations. | No |
| Can trigger a netlify build for an existing integration | NETLIFY_TRIGGER_BUILD | Required for Netlify build trigger mutations on integrations. | No |
| Can add new extension to an existing project | EXTENSION_CREATE | Required for extension creation mutations. | No |
| Can see existing extensions in an existing project | EXTENSION_READ | Required for extension queries. | No |
| Can update existing extensions in an existing project | EXTENSION_UPDATE | Required for extension update mutations. | No |
| Can delete existing extensions in an existing project | EXTENSION_DELETE | Required for extension deletion mutations. | No |
#PATs - App installations
| Permission name | Action | Description | PAT default |
|---|
| Can add app installations | APP_INSTALLATION_CREATE | Required for app installation mutations. Studio banners and selectors are controlled by custom roles. | No |
| Can update app installations | APP_INSTALLATION_UPDATE | Required for app installation update mutations. | No |
| Can delete app installations | APP_INSTALLATION_DELETE | Required for app uninstall mutations. | No |
#PATs - Legacy Management API content permissions