Hygraph
Docs

#Management API permissions

Management API permissions control what users assigned to a role can see in the Hygraph UI, and what actions Permanent Auth Tokens (PATs) can perform through the Management API. The same set of permissions is available for both custom roles and Permanent Auth Tokens (PATs), but their defaults and behaviors differ.

There are two types of Management API permissions:

  • View permissions control UI visibility. Granting or revoking these shows or hides buttons, tabs, and sections in the interface for users assigned to that role. For example, the Create new entries permission controls whether the + Add entry button appears in the content editor. It does not grant the ability to create entries through the API.
  • Action permissions control what can be done via the Management API, such as creating models, updating fields, or managing webhooks.

This distinction is especially important for PATs. Granting a UI-only permission to a token has no effect, since tokens do not interact with the UI. Content creation through the API requires the appropriate Content API permissions, not Management API permissions.

Management API permissions are global. They apply across all environments in a project.

#Roles vs PATs: a key distinction

Understanding how Management API permissions behave differently for roles and PATs will save you a lot of confusion when configuring access.

  • Roles - Management API permissions primarily control UI visibility. Granting a permission shows a button, tab, or section to users assigned to that role. Revoking it hides it. If a user lacks a permission, the effect is visible in the interface. They may not see a button, get an error when accessing a restricted area, or in some cases be logged out.

    • Defaults cover the read permissions needed to navigate the Hygraph UI correctly. Anything beyond that must be added manually.
  • PATs - Management API permissions control API access. If a token lacks a permission, the API call fails with an insufficient permissions error. There is no UI involved.

    • Defaults cover create and read permissions suited for programmatic API access.

This distinction matters because some permissions are UI-only. They control what users see in the Hygraph interface but have no effect on what a PAT can do programmatically. The most common example is Create new entries, which shows or hides the + Add entry button in the content editor. Granting this to a PAT does nothing, because PATs do not interact with the UI and content creation is handled by the Content API, not the Management API.

#How they differ from content permissions

Content permissions govern access to your project's content entries (read, create, update, delete, publish, unpublish). Management API permissions govern access to your project's structural and configuration elements, such as schema, environments, roles, webhooks, and so on.

#Roles

Hygraph provides five system roles, Owner, Admin, Developer, Editor, and Contributor, each with a predefined permission set that reflects its responsibilities. For example, an Editor cannot access the API Playground, while an Admin or Developer can.

Every custom role is assigned a set of default Management API permissions on creation. These defaults cover the minimum needed to use the Hygraph UI correctly. All additional permissions can be added manually depending on what the role needs to do.

Note that granting a role additional Management API permissions controls UI visibility only. If users also have Content API permissions granting a particular action, they can still perform that action via the API even if the corresponding UI button is hidden. You can grant a role full content permissions while using Management API permissions to hide specific actions in the UI. Users assigned that role can still perform those actions by calling the API directly.

Content and Assets tabs in Studio are governed by the following Management API permissions:

  • Content: Read public view groups and Read public content views (not in defaults). Sidebar views also need Read on DRAFT per model via content permissions.
  • Assets: Read public view groups and Read public content views + Read content permission on the Asset model. Assets does not appear without access to the Content tab.
  • Tables / entries: Content permissions per model and stage.

#Roles - Project & Studio access

Permission nameRole descriptionCustom role default
Change the name, picture and description of a projectAllows users to edit project details in Project Settings > General > Project. Without this permission, the section is visible but read-only and grayed out.No
Can use the playgroundWithout this permission, users cannot see the API Playground in the top-level menu, or the Preview in playground option in the content editor and Assets.No
Read audit logsWithout this permission, users cannot see the Audit logs tab in Project Settings.No
Can see Team Member SettingsWithout this permission, the user cannot see the Members tab in Project Settings > Team.No
Can see Role & Permissions SettingsWithout this permission, the user cannot see the Roles menu in project settings.No
Can see schema viewAllows the user to see the schema editor. Deselect to hide the schema view for roles where it is not relevant.No
Can see project settingsWithout this permission, users cannot see Project Settings in the Studio sidebar or open project settings screens.Yes
Can see environment selectorWithout this permission, users cannot see the environment selector in Studio.Yes

#Roles - Models, components, fields

Permission nameRole descriptionCustom role default
Create new modelsWithout this permission, a user with Can see schema view can access the schema editor but cannot use the + Add button to create new models.Yes
Read existing modelsWithout this permission, a user with Can see schema view can access the schema editor but cannot see models in it.Yes
Update existing modelsGrants users the ability to edit the Settings tab of models. Users also need permission to read the schema and models.No
Delete existing modelsWithout this permission, the user cannot see the Delete option for models.No
Create new componentsWithout this permission, a user with Can see schema view can access the schema editor but cannot use the + Add button to create new components.Yes
Read existing componentsWithout this permission, a user with Can see schema view can access the schema editor but cannot see components in it.Yes
Update existing componentsGrants users the ability to edit the Settings tab of components in the schema editor. Requires Can see schema view, Read existing components, and other read access as needed. Controls schema-level component metadata only.No
Delete existing componentsWithout this permission, the user cannot see the Delete option in a component's context menu.No
Read existing fieldsWithout this permission, the user cannot see or access the Fields tab in the UI.Yes
Create new fieldsWithout this permission, the user cannot see the Fields side panel in the schema editor.Yes
Update existing fieldsAllows users to see the Edit button on field cards in models and edit field details. Users must also have permission to read the schema and models. Without this permission, the Edit field button is hidden and the drag-and-drop anchor is not displayed.No
Delete existing fieldsAllows users to delete fields from a model in the schema editor. Users must also have permission to read the schema and models.No

#Roles - Enumerations

Permission nameRole descriptionCustom role default
Read existing enumerationsWithout this permission, a user with Can see schema view can access the schema editor but cannot see enumerations in it.Yes
Create new enumerationsWithout this permission, a user with Can see schema view can access the schema editor but cannot use the + Add button to create new enumerations.Yes
Update existing enumerationsGrants users the ability to edit enumeration details. Users also need permission to read the schema and enumerations.No
Delete existing enumerationsWithout this permission, the Delete option is hidden in the enumeration details context menu.No

#Roles - Taxonomies

Permission nameRole descriptionCustom role default
Read taxonomyWith Can see schema view, required to open taxonomies and view taxonomy details (including the Settings tab). Without it, users cannot access taxonomy definition screens in the schema area.Yes
Create taxonomyWithout this permission, users with Can see schema view cannot create new taxonomies. Opening existing taxonomies depends on Read taxonomy and schema access. Creating a taxonomy typically also requires Create taxonomy node for + Add flows.Yes
Update taxonomyWithout this permission, the taxonomy Settings page is read-only.No
Delete taxonomyWithout this permission, the Delete option is hidden in the taxonomy details context menu.No
Read taxonomy nodeWith Can see schema view, required to browse taxonomy Nodes and view node-related detail. Without it, exploring taxonomy nodes is not available.Yes
Create taxonomy nodeAllows users to use + Add child node (or equivalent). Together with Create taxonomy, enables + Add to create a taxonomy where the UI exposes it.Yes
Update taxonomy nodeAllows users to add new child nodes, rename nodes, or move nodes to a different parent. Without this permission, users can only view taxonomy node details.No
Delete taxonomy nodeWithout this permission, the Delete option is hidden next to the taxonomy node.No

#Roles - Remote sources

Permission nameRole descriptionCustom role default
Read remote sourcesWithout this permission, a user with Can see schema view can access the schema editor but cannot see remote sources in it.Yes
Create remote sourcesWithout this permission, a user with Can see schema view can access the schema editor but cannot use the + Add flow to create new remote sources.Yes
Update remote sourcesGrants users the ability to edit the Settings tab of remote sources. Without this permission, the Save button is hidden on the remote source settings screen.No
Delete remote sourcesWithout this permission, users cannot see the Delete option for remote sources.No

#Roles - Content views

Permission nameRole descriptionCustom role default
Create public content viewsWithout this permission, the Add custom view button is hidden.No
Read public content viewsRequired together with Read public view groups to access the Content tab in Studio. To see views listed in the sidebar, assign Read content permissions on the DRAFT stage on models. For Assets, also grant Read on the Asset model via content permissions.No
Update public content viewsWithout this permission, the user cannot see the Edit custom view option in the custom view context menu.No
Update system content viewsWithout this permission, the user cannot see the Update default view option in the content editor and Assets.No
Delete public content viewsWithout this permission, the Delete custom view option is hidden in the custom view context menu.No

#Roles - View groups

Permission nameRole descriptionCustom role default
Create public view groupsGrants users the ability to create view groups.No
Read public view groupsRequired together with Read public content views to access the Content tab in Studio. To see views listed in the sidebar, assign Read content permissions on the DRAFT stage on models. For Assets, also grant Read on the Asset model via content permissions.No
Update public view groupsWithout this permission, view groups cannot be updated.No
Delete public view groupsWithout this permission, users will be logged out when attempting to delete a public view group.No

#Roles - Locales & stages

Permission nameRole descriptionCustom role default
Read localesWithout this permission, users receive an error when trying to access locale information.Yes
Create localesWithout this permission, users cannot use the Add button in Project Settings > General > Locales.No
Update localesWithout this permission, locales in Project Settings > General > Locales are read-only and grayed out.No
Delete localesWithout this permission, the Delete button is hidden in Project Settings > General > Locales.No
Read stagesRequired to access content stage information.Yes
Create stagesAllows users to see the + Add stage button in Project Settings > General > Content Stages.No
Update stagesWithout this permission, the user cannot see the Content stages option in project settings.No
Delete stagesWithout this permission, clicking Delete in Project Settings > General > Content Stages throws an error.No

#Roles - Environments

Permission nameRole descriptionCustom role default
Read existing environmentsWithout this permission, users cannot access the project and will receive an error when attempting to log in.Yes
Create new environmentWithout this permission, the Clone button in Project Settings > General > Environments is disabled.No
Update an existing environmentGrants the ability to edit environments through the Management API and related Studio controls.No
Delete an existing environmentWithout this permission, the Delete option in Project Settings > General > Environments is disabled.No
Promote an existing environmentWithout this permission, the Promote to master button in Project Settings > General > Environments is disabled.No

#Roles - Environment backups

Permission nameRole descriptionCustom role default
Create new environment backupAllows creating a new environment backup.No
Read existing environment backups and their detailsAllows reading existing environment backups and their details.No
Update an existing environment backupAllows updating an existing environment backup.No
Delete an existing environment backupAllows deleting an existing environment backup.No
Restore an existing environment backup to a standard environmentAllows restoring an existing environment backup to a standard environment.No

#Roles - Content freeze

Permission nameRole descriptionCustom role default
Allows starting, scheduling, and lifting content freezesWithout this permission, users cannot access Project Settings > Governance > Content Freeze, use the Manage freeze link in the Studio banner, or start, schedule, or lift content freezes.No

#Roles - Content permission administration

Management permissions that control whether a user can manage content permission rows in Settings (not document Read/Create itself).

Permission nameRole descriptionCustom role default
Can create content permissionsWithout this permission, users cannot see the Add permission option in the Public Content API, roles, and PATs sections of project settings.No
Can read content permissionsWithout this permission, the user cannot see the Content permissions block for roles and PATs in project settings.No
Can update content permissionsWithout this permission, users cannot see the Edit option for content permissions in the Public Content API, roles, and PATs sections of project settings.No
Can delete content permissionsWithout this permission, users cannot see the Delete option for content permissions in the Public Content API, roles, and PATs sections of project settings.No

#Roles - Permanent auth tokens

Permission nameRole descriptionCustom role default
Can create new permanent auth tokensWithout this permission, the + Add Token button is hidden on Permanent Auth Tokens in Project Settings.No
Can read existing permanent auth tokensAllows users to see the Access section in Project Settings. For the API Playground, grant with Can use the playground.No
Can update existing permanent auth tokensWithout this permission, the Edit option is hidden in the PAT context menu in Project Settings > Access.No
Can delete existing permanent auth tokensWithout this permission, the Delete option is hidden in the PAT context menu in Project Settings > Access.No

#Roles - Webhooks

Permission nameRole descriptionCustom role default
Create new webhooksWithout this permission, the user cannot see the + Add webhook button.No
Read existing webhooksWithout this permission, the user cannot see the Webhooks tab in the main navigation.No
Update existing webhooksWithout this permission, the user cannot see the Edit button for webhooks.No
Delete an existing webhookWithout this permission, the user cannot see the Delete option for webhooks.No

#Roles - Workflows

Permission nameRole descriptionCustom role default
Read workflowRequired to access workflow information through the Management API and workflow-related UI context.Yes
Create a new workflowAllows creating a new workflow.No
Update a workflowAllows updating an existing workflow.No
Delete a workflowAllows deleting an existing workflow.No
Create a new workflow stepAllows creating a new workflow step.No
Update a workflow stepAllows updating an existing workflow step.No
Delete a workflow stepAllows deleting an existing workflow step.No

#Roles - Users & team

Permission nameRole descriptionCustom role default
Invite a user into an existing projectWithout this permission, the user cannot see the Invite members button in Project Settings > Team > Members.No
Assign a role to a userWithout this permission, the user cannot see the Assign role option in Project Settings > Team > Members.No
Remove a user from an existing projectGrants users the ability to see the Remove option for users. Also required to delete agents via AI Hub → Agents.No

#Roles - User roles

Permission nameRole descriptionCustom role default
Create new rolesWithout this permission, the user cannot see the option to add a custom role in the UI.No
Update existing rolesWithout this permission, the user can open all existing roles, but all update-related buttons are hidden and they will receive an error when attempting to edit content permissions.No
Delete an existing roleWithout this permission, the user cannot see the Delete option for custom roles.No

#Roles - Experimental, AI, usage

Permission nameRole descriptionCustom role default
Allows managing experimental features and their role assignmentsAllows managing experimental features.No
Create AI guidelinesAllows creating a new AI guideline.No
Read AI guidelinesAllows reading existing AI guidelines.No
Update AI guidelinesAllows updating an existing AI guideline.No
Delete AI guidelinesAllows deleting an existing AI guideline.No
Read observability dataAllows reading observability data.No

#Roles - Agents

Permission nameRole descriptionCustom role default
Create a new agent configWithout this permission, users cannot use + Add agent in AI Hub → Agents.No
Read agent configWithout this permission, users cannot open AI Hub → Agents or agent KPIs when the agents feature is enabled.No
Update an agent configWithout this permission, users cannot edit or enable/disable agents in AI Hub → Agents.No
Trigger an agent runWithout this permission, users cannot manually trigger agents from the content editor or content table. Does not apply to PATs or workflow-triggered runs.No

#Roles - Integrations & extensions

Permission nameRole descriptionCustom role default
Can add new integrations to an existing projectAllows creating a new integration.No
Can see existing integrations in an existing projectAllows reading existing integrations.No
Can update existing integrations in an existing projectAllows updating an existing integration.No
Can delete existing integrations in an existing projectAllows deleting an existing integration.No
Can trigger a netlify build for an existing integrationAllows triggering a build for a Netlify integration.No
Can add new extension to an existing projectAllows creating a new extension.No
Can see existing extensions in an existing projectAllows reading existing extensions.No
Can update existing extensions in an existing projectAllows updating an existing extension.No
Can delete existing extensions in an existing projectAllows deleting an existing extension.No

#Roles - App installations

Permission nameRole descriptionCustom role default
Can add app installationsWithout this permission, the Explore apps banner is hidden in the Apps section. Projects where this permission is not granted do not appear in the project selector dropdown for new app installations.No
Can update app installationsGrants the ability to see the Edit button on app cards.No
Can delete app installationsWithout this permission, the user cannot see the Uninstall option in the app card context menu.No

#Roles - Legacy Management API content permissions

Permission nameRole descriptionAlternative
Read existing entriesDeprecated. Does not control Content / Assets tabs.Read public view groups + Read public content views; Assets needs Asset model Read via content permissions.
Create new entriesAffects + Add entry in Studio. Does not replace Content API Create.Content API permissions — Create
Delete existing entriesDelete button visibility in Studio.Content API permissions — Delete
Publish non-published entriesPublish from draft where Studio checks this flag.Content API permissions — Publish
Update existing non published entriesSave on draft / non-published where wired.Content API permissions — Update
Update published entriesSave when published; unpublish where wired.Content API permissions — Update or Unpublish

#Permanent Auth Tokens

PATs interact with the Management API programmatically. When you initialize default permissions for a new PAT, those defaults cover the common schema read and create operations needed to work with the Management SDK. If you need to update or delete schema elements, add those permissions manually.

#PATs - Project & studio access

Permission nameActionDescriptionPAT default
Change the name, picture and description of a projectPROJECT_UPDATERequired for project metadata mutations (name, picture, description).No
Can use the playgroundPLAYGROUND_USEStudio-only for members with a role; not used to authorize typical PAT Management API traffic.No
Read audit logsAUDIT_LOGS_READStudio-only for members with a role; not used to authorize typical PAT Management API traffic.No
Can see Team Member SettingsVIEW_TEAM_MEMBER_SETTINGSStudio-only for members with a role; not used to authorize typical PAT Management API traffic.No
Can see Role & Permissions SettingsVIEW_ROLE_PERMISSION_SETTINGSStudio-only for members with a role; not used to authorize typical PAT Management API traffic.No
Can see schema viewVIEW_SCHEMAStudio-only for members with a role; not used to authorize typical PAT Management API traffic.No
Can see project settingsVIEW_PROJECT_SETTINGSStudio-only for members with a role; not used to authorize typical PAT Management API traffic. Included in PAT Initialize defaults.Yes
Can see environment selectorVIEW_ENVIRONMENT_SELECTORStudio-only for members with a role; not used to authorize typical PAT Management API traffic.No

#PATs - Models, components, fields

Permission nameActionDescriptionPAT default
Create new modelsMODEL_CREATERequired for model-creation mutations (for example createModel, createSimpleModel).Yes
Read existing modelsMODEL_READRequired to read models and for most schema mutations that reference existing models.Yes
Update existing modelsMODEL_UPDATERequired for model update mutations.No
Delete existing modelsMODEL_DELETERequired for model deletion mutations.No
Create new componentsCOMPONENT_CREATERequired for component-creation mutations.Yes
Read existing componentsCOMPONENT_READRequired to read components and for component-related schema operations.Yes
Update existing componentsCOMPONENT_UPDATERequired for component update mutations (schema components, not content entries).No
Delete existing componentsCOMPONENT_DELETERequired for component deletion mutations.No
Read existing fieldsFIELD_READRequired to read fields and for field-related schema operations.Yes
Create new fieldsFIELD_CREATERequired for field-creation mutations on models and components.Yes
Update existing fieldsFIELD_UPDATERequired for field update mutations.No
Delete existing fieldsFIELD_DELETERequired for field deletion mutations.No

#PATs - Enumerations

Permission nameActionDescriptionPAT default
Read existing enumerationsENUMERATION_READRequired to read enumerations and for enumeration-related schema operations.Yes
Create new enumerationsENUMERATION_CREATERequired for enumeration-creation mutations.Yes
Update existing enumerationsENUMERATION_UPDATERequired for enumeration update mutations.No
Delete existing enumerationsENUMERATION_DELETERequired for enumeration deletion mutations.No

#PATs - Taxonomies

Permission nameActionDescriptionPAT default
Read taxonomyTAXONOMY_READRequired for taxonomy queries and taxonomy-related mutations. Not included in PAT Initialize defaults.No
Create taxonomyTAXONOMY_CREATERequired for taxonomy creation mutations.No
Update taxonomyTAXONOMY_UPDATERequired for taxonomy update mutations.No
Delete taxonomyTAXONOMY_DELETERequired for taxonomy deletion mutations.No
Read taxonomy nodeTAXONOMY_NODE_READRequired for taxonomy node queries and node-related mutations.No
Create taxonomy nodeTAXONOMY_NODE_CREATERequired for taxonomy node creation mutations.No
Update taxonomy nodeTAXONOMY_NODE_UPDATERequired for taxonomy node update mutations.No
Delete taxonomy nodeTAXONOMY_NODE_DELETERequired for taxonomy node deletion mutations.No

#PATs - Remote sources

Permission nameActionDescriptionPAT default
Read remote sourcesREMOTE_SOURCE_READRequired to read remote sources and for remote-source-related schema operations.Yes
Create remote sourcesREMOTE_SOURCE_CREATERequired for remote-source-creation mutations.Yes
Update remote sourcesREMOTE_SOURCE_UPDATERequired for remote source update mutations.No
Delete remote sourcesREMOTE_SOURCE_DELETERequired for remote source deletion mutations.No

#PATs - Content views

Permission nameActionDescriptionPAT default
Create public content viewsCONTENTVIEW_CREATERequired for custom content-view creation mutations.No
Read public content viewsCONTENTVIEW_READRequired to read content views (environment.contentView, environment.contentViews).No
Update public content viewsCONTENTVIEW_UPDATERequired to update custom content views.No
Update system content viewsCONTENTVIEW_SYSTEM_UPDATERequired to update system / default content views.No
Delete public content viewsCONTENTVIEW_DELETERequired to delete custom content views.No

#PATs - View groups

Permission nameActionDescriptionPAT default
Create public view groupsVIEW_GROUP_CREATERequired for view-group creation mutations.No
Read public view groupsVIEW_GROUP_READRequired to read view groups (environment.viewGroups and related fields).No
Update public view groupsVIEW_GROUP_UPDATERequired for view-group update mutations.No
Delete public view groupsVIEW_GROUP_DELETERequired for view-group deletion mutations.No

#PATs - Locales & stages

Permission nameActionDescriptionPAT default
Read localesLOCALE_READRequired for locale queries and locale-dependent Management API operations.Yes
Create localesLOCALE_CREATERequired for locale creation mutations.No
Update localesLOCALE_UPDATERequired for locale update mutations.No
Delete localesLOCALE_DELETERequired for locale deletion mutations.No
Read stagesSTAGE_READRequired for stage queries and content-stage configuration via the Management API.Yes
Create stagesSTAGE_CREATERequired for content-stage creation mutations.No
Update stagesSTAGE_UPDATERequired for content-stage update mutations.No
Delete stagesSTAGE_DELETERequired for content-stage deletion mutations.No

#PATs - Environments

Permission nameActionDescriptionPAT default
Read existing environmentsENVIRONMENT_READRequired for environment-scoped queries and mutations for the PAT's environment.Yes
Create new environmentENVIRONMENT_CREATERequired for environment clone/create mutations.No
Update an existing environmentENVIRONMENT_UPDATERequired for environment update mutations.No
Delete an existing environmentENVIRONMENT_DELETERequired for environment deletion mutations.No
Promote an existing environmentENVIRONMENT_PROMOTERequired for promote-to-master (and similar promote) mutations. Restoring from backup uses ENVIRONMENT_BACKUP_RESTORE, not this action.No

#PATs - Environment backups

Permission nameActionDescriptionPAT default
Create new environment backupENVIRONMENT_BACKUP_CREATERequired for environment backup creation mutations.No
Read existing environment backups and their detailsENVIRONMENT_BACKUP_READRequired to query environment backups and their metadata.No
Update an existing environment backupENVIRONMENT_BACKUP_UPDATERequired for environment backup update mutations.No
Delete an existing environment backupENVIRONMENT_BACKUP_DELETERequired for environment backup deletion mutations.No
Restore an existing environment backup to a standard environmentENVIRONMENT_BACKUP_RESTORERequired to restore a backup into a standard environment.No

#PATs - Content freeze

Permission nameActionDescriptionPAT default
Allows starting, scheduling, and lifting content freezesMANAGE_CONTENT_FREEZERequired for startContentFreeze and liftContentFreeze mutations.No

#PATs - Content permission administration

Permission nameActionDescriptionPAT default
Can create content permissionsCONTENT_PERMISSION_CREATERequired to create content-permission rows (roles, PATs, or public Content API target) via the Management API.No
Can read content permissionsCONTENT_PERMISSION_READRequired to read content-permission configuration via the Management API.No
Can update content permissionsCONTENT_PERMISSION_UPDATERequired to update content-permission rows via the Management API.No
Can delete content permissionsCONTENT_PERMISSION_DELETERequired to delete content-permission rows via the Management API.No

#PATs - Permanent auth tokens

Permission nameActionDescriptionPAT default
Can create new permanent auth tokensPAT_CREATERequired for PAT creation mutations. Usually granted on a custom role for admins; grant on a PAT only when automation manages other PATs.No
Can read existing permanent auth tokensPAT_READRequired for PAT read/list operations. Usually granted on a custom role for admins.No
Can update existing permanent auth tokensPAT_UPDATERequired for PAT update mutations. Usually granted on a custom role for admins.No
Can delete existing permanent auth tokensPAT_DELETERequired for PAT deletion mutations. Usually granted on a custom role for admins.No

#PATs - Webhooks

Permission nameActionDescriptionPAT default
Create new webhooksWEBHOOK_CREATERequired for webhook creation mutations.No
Read existing webhooksWEBHOOK_READRequired for webhook queries. Studio navigation is controlled by custom roles.No
Update existing webhooksWEBHOOK_UPDATERequired for webhook update mutations.No
Delete an existing webhookWEBHOOK_DELETERequired for webhook deletion mutations.No

#PATs - Workflows

Permission nameActionDescriptionPAT default
Read workflowWORKFLOW_READRequired for workflow queries and workflow-related Management API operations.Yes
Create a new workflowWORKFLOW_CREATERequired for workflow creation mutations.No
Update a workflowWORKFLOW_UPDATERequired for workflow update mutations.No
Delete a workflowWORKFLOW_DELETERequired for workflow deletion mutations.No
Create a new workflow stepWORKFLOW_STEP_CREATERequired for workflow step creation mutations.No
Update a workflow stepWORKFLOW_STEP_UPDATERequired for workflow step update mutations.No
Delete a workflow stepWORKFLOW_STEP_DELETERequired for workflow step deletion mutations.No

#PATs - Users & team

Permission nameActionDescriptionPAT default
Invite a user into an existing projectUSER_INVITERequired for project member invite mutations. Studio UI is controlled by custom roles.No
Assign a role to a userUSER_ASSIGNROLERequired for role-assignment mutations on project members.No
Remove a user from an existing projectUSER_REMOVERequired for removing members from a project via the Management API. Also required for deleteAgent mutations.No

#PATs - User roles

Permission nameActionDescriptionPAT default
Create new rolesROLE_CREATERequired for custom role creation mutations. Studio UI is controlled by custom roles.No
Update existing rolesROLE_UPDATERequired for role update mutations (including management and content permissions on roles).No
Delete an existing roleROLE_DELETERequired for custom role deletion mutations.No

#PATs - Experimental, AI, usage

Permission nameActionDescriptionPAT default
Allows managing experimental features and their role assignmentsMANAGE_EXPERIMENTAL_FEATURESRequired for experimental-feature management mutations.No
Create AI guidelinesAI_GUIDELINE_CREATERequired for AI guideline creation mutations.No
Read AI guidelinesAI_GUIDELINE_READRequired for AI guideline queries.No
Update AI guidelinesAI_GUIDELINE_UPDATERequired for AI guideline update mutations.No
Delete AI guidelinesAI_GUIDELINE_DELETERequired for AI guideline deletion mutations.No
Read observability dataOBSERVABILITY_READRequired for observability read operations exposed by the Management API.No

#PATs - Agents

Permission nameActionDescriptionPAT default
Create a new agent configAGENT_CONFIG_CREATERequired for createAgent mutations.No
Read agent configAGENT_CONFIG_READRequired for agent configuration queries.No
Update an agent configAGENT_CONFIG_UPDATERequired for updateAgent mutations.No

#PATs - Integrations & extensions

Permission nameActionDescriptionPAT default
Can add new integrations to an existing projectINTEGRATION_CREATERequired for integration creation mutations.No
Can see existing integrations in an existing projectINTEGRATION_READRequired for integration queries.No
Can update existing integrations in an existing projectINTEGRATION_UPDATERequired for integration update mutations.No
Can delete existing integrations in an existing projectINTEGRATION_DELETERequired for integration deletion mutations.No
Can trigger a netlify build for an existing integrationNETLIFY_TRIGGER_BUILDRequired for Netlify build trigger mutations on integrations.No
Can add new extension to an existing projectEXTENSION_CREATERequired for extension creation mutations.No
Can see existing extensions in an existing projectEXTENSION_READRequired for extension queries.No
Can update existing extensions in an existing projectEXTENSION_UPDATERequired for extension update mutations.No
Can delete existing extensions in an existing projectEXTENSION_DELETERequired for extension deletion mutations.No

#PATs - App installations

Permission nameActionDescriptionPAT default
Can add app installationsAPP_INSTALLATION_CREATERequired for app installation mutations. Studio banners and selectors are controlled by custom roles.No
Can update app installationsAPP_INSTALLATION_UPDATERequired for app installation update mutations.No
Can delete app installationsAPP_INSTALLATION_DELETERequired for app uninstall mutations.No

#PATs - Legacy Management API content permissions

Permission nameActionDescriptionAlternative
Read existing entriesCONTENT_READDeprecated. No effect on Content API reads for PAT-authenticated requests.Content API permissions — Read on the PAT
Create new entriesCONTENT_CREATEDeprecated. Does not grant Content API Create for the PAT.Content API permissions — Create
Delete existing entriesCONTENT_DELETEDeprecated. Does not grant Content API Delete for the PAT.Content API permissions — Delete
Publish non-published entriesCONTENT_PUBLISHDeprecated. Does not grant Content API Publish for the PAT.Content API permissions — Publish
Update existing non published entriesCONTENT_UPDATEDeprecated. Does not grant Content API Update for the PAT.Content API permissions — Update
Update published entriesCONTENT_UPDATE_PUBLISHEDDeprecated. Does not grant Content API Update or Unpublish for the PAT.Content API permissions — Update or Unpublish