Skip to main content

Role-Based Access Control (RBAC)

VoxKey implements RBAC through API Resources, Scopes, and Roles. This lets you control what users and applications can access in your APIs.

Data model

API Resources

An API Resource represents a protected API in your system. Each resource has:

  • Name -- human-readable label (e.g. "Blog API")
  • Indicator -- audience URI used in token requests (e.g. https://api.example.com)
  • Access Token TTL -- token lifetime in seconds for this resource
  • Scopes -- permissions belonging to this resource

Request tokens for a specific resource using the resource parameter:

curl -X POST https://auth.example.com/oauth2/{realmUUID}/token \
  -d grant_type=client_credentials \
  -d client_id=YOUR_CLIENT_ID \
  -d client_secret=YOUR_SECRET \
  -d scope="read:posts write:posts" \
  -d resource=https://api.example.com

Scopes

Scopes are permissions attached to an API Resource. They appear in JWT access tokens as the scope claim.

Built-in OIDC scopes (always available):

  • openid -- required for OIDC flows
  • profile -- user name and metadata
  • email -- user email address
  • phone -- user phone number
  • offline_access -- issue refresh tokens

Custom scopes are defined per API Resource (e.g. read:posts, admin:users).

Roles

Roles group scopes together and are assigned to users or applications.

Two role types:

TypeAssigned toUse case
userRealm usersEnd-user permissions (viewer, editor, admin)
m2mApplicationsMachine-to-machine service permissions

A role can include scopes from multiple API Resources.

Management API

Every realm gets a built-in Management API resource with these scopes:

ScopeDescription
allFull access to all endpoints
users:readView users
users:writeCreate, update, delete users
users:rolesManage user role assignments
applications:readView applications
applications:writeCreate, update, delete applications
roles:readView roles
roles:writeCreate, update, delete roles
resources:readView API resources
resources:writeCreate, update, delete API resources
providers:readView auth providers
providers:writeManage auth providers
settings:readView realm settings
settings:writeUpdate realm settings
logs:readView audit logs

How tokens carry permissions

When a user or M2M app requests a token, VoxKey resolves their roles, collects all granted scopes, intersects with the requested scopes, and embeds them in the JWT:

{
  "sub": "user_abc123",
  "aud": "https://api.example.com",
  "scope": "read:posts write:posts",
  "iss": "https://auth.example.com/oauth2/{realmUUID}",
  "exp": 1711612800
}

Setting up RBAC

  1. Create an API Resource -- define your API's audience URI and scopes
  2. Create Roles -- group scopes into logical roles
  3. Assign Roles -- assign roles to users or M2M applications
  4. Validate in your API -- check the scope claim in incoming JWTs