Diagrams

RBAC Permission Matrix

View as Markdown

Used in: §13.2 Permission Matrix Audience: all admin personas IA ID: D19 (rendered as Markdown table per IA “table-as-diagram” guidance)

Legend: ✅ allowed · 🚫 denied · 👤 owner-only (caller’s own DID/credential) · — N/A

CapabilityEndpoint(s)HolderIssuerVerifierAdmin
Sign in (OTP / OAuth / DID-Auth)/auth/*
List own DIDsGET /dids
Create DIDPOST /dids
Update / deactivate / rotate own DIDPUT /dids/{did}, DELETE /dids/{did}, POST /dids/{did}/rotate-key👤👤👤👤
Universal DID resolve (any DID)GET /dids/resolve/{did}✅ (public)
Read schemasGET /credentials/schemas
Create schemaPOST /credentials/schemas🚫🚫
Issue credentialPOST /credentials/issue🚫🚫
Revoke / batch-revokePOST /credentials/revoke, /batch-revoke🚫🚫
Verify credential / presentationPOST /credentials/verify, /presentations/verify✅ (public)
Create presentationPOST /presentations/create
Add verification recordPOST /verifications🚫🚫
Read verifications history / statsGET /verifications/*
Manage trusted issuersPOST/DELETE /verifier/trusted-issuers/*🚫🚫
Generate ZK challenge / proofPOST /zkp/challenge, /zkp/proofs
Verify ZK proofPOST /zkp/verify✅ (public)
Register / update / decommission agentPOST /agents, PUT/DELETE /agents/{did}👤👤👤
Read agent audit log / delegationsGET /agents/{did}/audit-log, /delegations
DIDComm send / receive (in-platform)POST /didcomm/send, /didcomm/receive
Dashboard stats / events / activityGET /dashboard/*
Issuer analyticsGET /issuers/{did}/analytics
Health / readinessGET /health, /ready✅ (public)

Matrix verified against packages/api/internal/router/router.go lines 42–186 (middleware.RequireRoles("issuer" | "verifier")). Admin is treated as a superset role at the middleware layer.