> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://docs.adid.dev/llms.txt. > For full documentation content, see https://docs.adid.dev/llms-full.txt. # RBAC Permission Matrix **Used in:** ยง13.2 Permission Matrix **Audience:** all admin personas **IA ID:** D19 (rendered as Markdown table per IA "table-as-diagram" guidance) > Legend: โœ… allowed ยท ๐Ÿšซ denied ยท ๐Ÿ‘ค owner-only (caller's own DID/credential) ยท โ€” N/A | Capability | Endpoint(s) | Holder | Issuer | Verifier | Admin | | -------------------------------------- | ---------------------------------------------------------------------- | :--------: | :----: | :------: | :---: | | Sign in (OTP / OAuth / DID-Auth) | `/auth/*` | โœ… | โœ… | โœ… | โœ… | | List own DIDs | `GET /dids` | โœ… | โœ… | โœ… | โœ… | | Create DID | `POST /dids` | โœ… | โœ… | โœ… | โœ… | | Update / deactivate / rotate own DID | `PUT /dids/{did}`, `DELETE /dids/{did}`, `POST /dids/{did}/rotate-key` | ๐Ÿ‘ค | ๐Ÿ‘ค | ๐Ÿ‘ค | ๐Ÿ‘ค | | Universal DID resolve (any DID) | `GET /dids/resolve/{did}` | โœ… (public) | โœ… | โœ… | โœ… | | Read schemas | `GET /credentials/schemas` | โœ… | โœ… | โœ… | โœ… | | Create schema | `POST /credentials/schemas` | ๐Ÿšซ | โœ… | ๐Ÿšซ | โœ… | | Issue credential | `POST /credentials/issue` | ๐Ÿšซ | โœ… | ๐Ÿšซ | โœ… | | Revoke / batch-revoke | `POST /credentials/revoke`, `/batch-revoke` | ๐Ÿšซ | โœ… | ๐Ÿšซ | โœ… | | Verify credential / presentation | `POST /credentials/verify`, `/presentations/verify` | โœ… (public) | โœ… | โœ… | โœ… | | Create presentation | `POST /presentations/create` | โœ… | โœ… | โœ… | โœ… | | Add verification record | `POST /verifications` | ๐Ÿšซ | ๐Ÿšซ | โœ… | โœ… | | Read verifications history / stats | `GET /verifications/*` | โœ… | โœ… | โœ… | โœ… | | Manage trusted issuers | `POST/DELETE /verifier/trusted-issuers/*` | ๐Ÿšซ | ๐Ÿšซ | โœ… | โœ… | | Generate ZK challenge / proof | `POST /zkp/challenge`, `/zkp/proofs` | โœ… | โœ… | โœ… | โœ… | | Verify ZK proof | `POST /zkp/verify` | โœ… (public) | โœ… | โœ… | โœ… | | Register / update / decommission agent | `POST /agents`, `PUT/DELETE /agents/{did}` | ๐Ÿ‘ค | ๐Ÿ‘ค | ๐Ÿ‘ค | โœ… | | Read agent audit log / delegations | `GET /agents/{did}/audit-log`, `/delegations` | โœ… | โœ… | โœ… | โœ… | | DIDComm send / receive (in-platform) | `POST /didcomm/send`, `/didcomm/receive` | โœ… | โœ… | โœ… | โœ… | | Dashboard stats / events / activity | `GET /dashboard/*` | โœ… | โœ… | โœ… | โœ… | | Issuer analytics | `GET /issuers/{did}/analytics` | โœ… | โœ… | โœ… | โœ… | | Health / readiness | `GET /health`, `/ready` | โœ… (public) | โœ… | โœ… | โœ… | Matrix verified against `packages/api/internal/router/router.go` lines 42โ€“186 (`middleware.RequireRoles("issuer" | "verifier")`). Admin is treated as a superset role at the middleware layer. ***