Skip to content
BaseID Docs

Team & RBAC

Each tenant has a team of users with role-based access control (RBAC). Users can belong to multiple tenants.

List members

Section titled “List members”
GET /v1/team/members
Authorization: Bearer <token>

Response

Section titled “Response”
[
  {
    "id": "...",
    "tenant_id": "...",
    "user_id": "...",
    "role_id": "00000000-0000-0000-0000-000000000001",
    "joined_at": "2026-03-26T12:00:00Z",
    "email": "alice@example.com",
    "display_name": "Alice Martin",
    "role_name": "owner"
  }
]

Invite a member

Section titled “Invite a member”
POST /v1/team/invite
Authorization: Bearer <token>

Permission required: members:invite

Request body

Section titled “Request body”
FieldTypeRequiredDescription
emailstringYesEmail to invite
role_idstring (UUID)YesRole to assign (cannot be owner)

Invitations are subject to the tenant’s member limit.

Response

Section titled “Response”

Returns an invitation with a token for the accept link.

Remove a member

Section titled “Remove a member”
DELETE /v1/team/members/:user_id
Authorization: Bearer <token>

Permission required: members:remove

Cannot remove yourself or the tenant owner.

Update member role

Section titled “Update member role”
PATCH /v1/team/members/:user_id/role
Authorization: Bearer <token>

Permission required: members:update_role

Request body

Section titled “Request body”
{ "role_id": "00000000-0000-0000-0000-000000000003" }

Cannot change the owner’s role or assign the owner role.

List roles

Section titled “List roles”
GET /v1/roles
Authorization: Bearer <token>

Returns built-in system roles plus any custom roles for the tenant.

Get role permissions

Section titled “Get role permissions”
GET /v1/roles/:role_id/permissions
Authorization: Bearer <token>

Response

Section titled “Response”
["credentials:issue", "credentials:verify", "dids:list", "..."]

Create custom role

Section titled “Create custom role”
POST /v1/roles
Authorization: Bearer <token>

Permission required: roles:manage

Request body

Section titled “Request body”
{
  "name": "auditor",
  "description": "Read-only compliance access",
  "permissions": ["compliance:report", "compliance:audit", "credentials:list"]
}

Built-in roles

Section titled “Built-in roles”
RoleDescriptionKey permissions
ownerFull tenant controlAll 25 permissions including tenant:manage, tenant:delete
adminManage members and operationsAll except tenant:delete
memberIssue, verify, manage credentialsCredentials, DIDs, DIDComm, compliance, trust, usage
viewerRead-only accesscredentials:verify, credentials:list, dids:list, compliance:report/audit, trust:query, usage:view
api-onlyProgrammatic operationsCredentials, DIDs, DIDComm, compliance, trust (no member management)

All permissions

Section titled “All permissions”
PermissionDescription
tenant:manageManage tenant settings, billing, domains
tenant:deleteDelete the tenant
members:inviteInvite new team members
members:removeRemove team members
members:update_roleChange member roles
roles:manageCreate/edit custom roles
api_keys:createCreate API keys
api_keys:revokeRevoke API keys
credentials:issueIssue credentials
credentials:verifyVerify credentials
credentials:revokeRevoke credentials
credentials:listList/view credentials
dids:createCreate DIDs
dids:listList/resolve DIDs
dids:deactivateDeactivate DIDs
didcomm:sendSend DIDComm messages
didcomm:receiveReceive DIDComm messages
compliance:reportGenerate compliance reports
compliance:consentManage consent records
compliance:auditQuery audit trail
trust:attestAdd trust attestations, create delegations
trust:queryQuery trust scores, verify delegations
webhooks:manageManage webhooks
usage:viewView usage and billing