Permissions
Renovatr uses a granular permission system with 20 boolean flags. Permissions apply to both shared users and API keys.
Permission Flags
| Permission | Description |
|---|---|
canViewProject | View project details |
canEditProject | Edit project settings |
canDeleteProject | Delete the project |
canViewDeliverables | View deliverables list |
canCreateDeliverables | Create new deliverables |
canEditDeliverables | Edit existing deliverables |
canDeleteDeliverables | Delete deliverables |
canViewSnags | View snags list |
canCreateSnags | Create new snags |
canEditSnags | Edit existing snags |
canDeleteSnags | Delete snags |
canViewIncidents | View incidents |
canCreateIncidents | Create incidents |
canEditIncidents | Edit incidents |
canDeleteIncidents | Delete incidents |
canViewInvoices | View invoices |
canCreateInvoices | Create invoices |
canEditInvoices | Edit invoices |
canDeleteInvoices | Delete invoices |
canViewFinancials | View costs, commission, and financial summaries |
Presets
When creating an API key or sharing a project, you can use presets for convenience:
| Preset | Description |
|---|---|
| View Only | All canView* flags enabled |
| Editor | View + create + edit (no delete) |
| Full Access | All 20 permissions enabled |
| Client View | View project, deliverables, snags — no financials |
Project Owners
Project owners always have full permissions regardless of any permission configuration. Ownership cannot be transferred.
Checking Permissions
The API enforces permissions automatically. If you attempt an operation your API key doesn't have permission for, you'll receive a 403 Forbidden response:
{
"error": "Forbidden: insufficient permissions"
}
API Key Scope
API keys are scoped to a single project. Attempting to access a different project with an API key returns 403 Forbidden.
Permission Integrity
Permission rows are protected by HMAC signatures. If a permission row is tampered with, the system silently falls back to no access.