← All docs

Admin API — Route Role Map

Every route in apps/backend/apps/admin, mapped to a granular role scope. A user may hold any combination of these scopes.
Roles are independent scopes, not a hierarchy. A user holding only user_administration_read can view player data but cannot moderate. Write scopes do not imply read — grant both if the UI needs to read before writing. any means the route requires only a valid admin session (auth/health/self-MFA).

Role model — what each scope covers

user_administration_read

user_administration_write

platform_setup_read

platform_setup_write

payments_read

payments_write

documents_write

any

Highest-blast-radius routes worth extra care

Gated by the roles above, but each deserves audit logging / secondary approval / rate limiting at the application layer:

Judgment calls worth reviewing