Bootstrap the Environment's permission catalog and roles
/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/setup/access-bootstrapAuthentication
- Bearer Token
AuthorizationJWT access token
Request body
resourcesBootstrapResourceDto[]Resources to generate permissions for
rolesBootstrapRoleDto[]Roles to create with their permission assignments
Code samples
curl -X POST "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/setup/access-bootstrap" \
-H "Authorization: Bearer $CANOPY_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"resources": [
{
"name": "notes",
"actions": [
"create",
"read",
"update",
"delete"
]
}
],
"roles": [
{
"name": "Admin",
"description": "Full access to all resources",
"permission_keys": [
"notes.create",
"notes.read",
"notes.update",
"notes.delete"
]
}
]
}'const response = await fetch("https://api.canopy.dev/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/setup/access-bootstrap", {
method: "POST",
headers: {
"Authorization": "Bearer $CANOPY_TOKEN",
"Content-Type": "application/json"
},
body: JSON.stringify({
"resources": [
{
"name": "notes",
"actions": [
"create",
"read",
"update",
"delete"
]
}
],
"roles": [
{
"name": "Admin",
"description": "Full access to all resources",
"permission_keys": [
"notes.create",
"notes.read",
"notes.update",
"notes.delete"
]
}
]
}),
});
const data = await response.json();import requests
response = requests.post(
"https://api.canopy.dev/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/setup/access-bootstrap",
headers={
"Authorization": "Bearer $CANOPY_TOKEN",
"Content-Type": "application/json"
},
json={
"resources": [
{
"name": "notes",
"actions": [
"create",
"read",
"update",
"delete",
],
},
],
"roles": [
{
"name": "Admin",
"description": "Full access to all resources",
"permission_keys": [
"notes.create",
"notes.read",
"notes.update",
"notes.delete",
],
},
],
},
)
data = response.json()package main
import (
"bytes"
"encoding/json"
"net/http"
)
func main() {
payload := map[string]interface{}{
"resources": []interface{}{
map[string]interface{}{
"name": "notes",
"actions": []interface{}{
"create",
"read",
"update",
"delete",
},
},
},
"roles": []interface{}{
map[string]interface{}{
"name": "Admin",
"description": "Full access to all resources",
"permission_keys": []interface{}{
"notes.create",
"notes.read",
"notes.update",
"notes.delete",
},
},
},
}
body, _ := json.Marshal(payload)
req, _ := http.NewRequest("POST", "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/setup/access-bootstrap", bytes.NewBuffer(body))
req.Header.Set("Authorization", "Bearer $CANOPY_TOKEN")
req.Header.Set("Content-Type", "application/json")
resp, _ := http.DefaultClient.Do(req)
defer resp.Body.Close()
}Responses
201 Permissions, roles, and role-permission joins created in a single transaction. No admin role assignment is seeded — admin users bypass RBAC; role assignments are for end-user identities.
{
"permissions_created": 0,
"roles_created": 0,
"skipped_permissions": 0,
"skipped_roles": 0
}application/json
permissions_creatednumberNumber of permissions created
roles_creatednumberNumber of roles created
skipped_permissionsnumberNumber of permissions skipped (already exist)
skipped_rolesnumberNumber of roles skipped (already exist)
401 Invalid or expired token
403 This token is not authorized for this endpoint (wrong principal type — e.g., admin token on identity-only endpoint, or vice versa)
409 Environment already has custom permissions or roles