Skip to content

docs(m104): changelog — scope-based authorization #114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
indykish merged 2 commits into from
Jun 30, 2026
Merged

docs(m104): changelog — scope-based authorization #114

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
15ad0b5
docs(m104): changelog — scope-based authorization
indykish Jun 29, 2026
a60a3b7
docs(m104): link authorization ref, add UZ-AUTH-022 to error-codes
indykish Jun 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions api-reference/error-codes.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ Every code on this page is one `agentsfleetd` can actually emit — the list is
| `UZ-AUTH-006` | 401 | Session expired | Auth session timed out before completion |
| `UZ-AUTH-009` | 403 | Insufficient role | Token role is too low for this endpoint |
| `UZ-AUTH-010` | 403 | Unsupported role | Token contains an unrecognized role claim |
| `UZ-AUTH-022` | 403 | Insufficient scope | Token lacks the required `resource:action` scope for this endpoint. The `detail` field names the required scope (e.g. `Requires scope fleet:admin`). |

## CLI login

Expand Down
14 changes: 14 additions & 0 deletions changelog.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,20 @@ export const STAGE_SELF_MANAGED_M66 = "$0.0001";
agentsfleet is in **stealth-mode testing** and pre-production. APIs and agent behavior may change between releases without long deprecation windows. Email [agentsfleet@agentmail.to](mailto:agentsfleet@agentmail.to) if you want a hand calibrating an agent or to join as a design partner.
</Tip>

<Update label="Jun 30, 2026" tags={["What's new", "API"]}>
## Authorization is now scope-based

Every capability a token holds is now an explicit `resource:action` scope, read directly off the token — replacing the old `user`/`operator`/`admin` roles and the `platform_admin` flag. A correctly-provisioned principal sees no change: every route that worked before still works, and tenant isolation and workspace ownership are enforced exactly as before. What changes is that "what can this token do?" is now enumerable, and a denial tells you precisely which scope is missing.

## API reference

- **`scopes` claim** — the session token and tenant API key now carry an explicit space-delimited `scopes` list (e.g. `fleet:admin credential:write workspace:admin`). It is provisioned automatically for a workspace owner at signup; a strict client needs no change.
- **`403 UZ-AUTH-022` "Insufficient scope"** — a capability denial now names the required scope in the error detail (`Requires scope fleet:admin`), instead of an opaque role rejection.
- **`read < write < admin` hierarchy** — per resource, `admin` satisfies `write` satisfies `read`, so a `fleet:admin` holder passes any `fleet:read` route. A destructive route (e.g. `DELETE`) can require the top rung.

See the [error-codes reference](/api-reference/error-codes) for `UZ-AUTH-022` and the full authorization code registry.
</Update>

<Update label="Jun 28, 2026" tags={["What's new", "UI", "API", "Bug fixes"]}>
## Template installs now explain why a credential is needed

Expand Down
Loading