Register new permission(s)

POST

/api/v1/permissions

Authentication

Bearer Token Authorization
JWT access token
API Key X-API-Key
API key for management-tier access

Request body

permissionsPermissionItemDto[]*
One or more permissions to register

Code samples

cURL

JavaScript

Python

curl -X POST "https://api.canopy.dev/api/v1/permissions" \
  -H "X-API-Key: $CANOPY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "permissions": [
      {
        "key": "string",
        "description": "string",
        "category": "string"
      }
    ]
  }'

const response = await fetch("https://api.canopy.dev/api/v1/permissions", {
  method: "POST",
  headers: {
    "X-API-Key": "$CANOPY_API_KEY",
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    "permissions": [
      {
        "key": "string",
        "description": "string",
        "category": "string"
      }
    ]
  }),
});

const data = await response.json();

import requests

response = requests.post(
    "https://api.canopy.dev/api/v1/permissions",
    headers={
    "X-API-Key": "$CANOPY_API_KEY",
    "Content-Type": "application/json"
    },
    json={
        "permissions": [
            {
                "key": "string",
                "description": "string",
                "category": "string",
            },
        ],
    },
)

data = response.json()

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload := map[string]interface{}{
		"permissions": []interface{}{
			map[string]interface{}{
				"key": "string",
				"description": "string",
				"category": "string",
			},
		},
	}
	body, _ := json.Marshal(payload)

	req, _ := http.NewRequest("POST", "https://api.canopy.dev/api/v1/permissions", bytes.NewBuffer(body))
	req.Header.Set("X-API-Key", "$CANOPY_API_KEY")
	req.Header.Set("Content-Type", "application/json")

	resp, _ := http.DefaultClient.Do(req)
	defer resp.Body.Close()
}

Responses

201 Permission(s) created

{
  "id": "string",
  "application_id": "string",
  "key": "string",
  "description": "string",
  "category": "string",
  "source": "system",
  "created_at": "2026-04-20T12:00:00.000Z",
  "version": 0
}

application/json

idstring*
application_idstring*
keystring*
descriptionstring
categorystring
sourceenum: "system" | "custom"*
created_atstring (date-time)*
versionnumber*
Optimistic-lock version. Send back as the `If-Match` header when updating to detect concurrent edits.

401 Invalid or expired token

403 This token is not authorized for this endpoint (wrong principal type — e.g., admin token on identity-only endpoint, or vice versa)

Returned object

The PermissionResponseDto object View all properties on this resource

On this page

GETList permission catalog
GETGet a permission
PATCHUpdate permission metadata
DELETERemove a permission
POSTEvaluate authorization
POSTBulk evaluate authorization