Permissions
Slab5 starts with simple roles and explicit scopes. Every MCP tool and API route declares the scopes it requires.
Roles and scopes
Initial roles: owner, admin, member, agent, and readonly.
Initial scopes include crm:read, crm:write, support:read, support:write, tasks:read, tasks:write, activity:read, activity:write, cms:read, cms:write, assets:read, assets:write, integrations:read, integrations:write, analytics:read, analytics:write, bi:read, bi:write, audit:read, and settings:admin.
In the hosted control plane, workspace administration requires local owner or admin membership in the target workspace. member and readonly users are not allowed to create or revoke API keys or MCP clients, change module access, rename workspaces, send invitations, or change MCP auth policy.
WorkOS organization roles are mirrored into local Slab5 workspace roles when a user loads a Slab5 Team in the control plane. Unknown WorkOS role slugs default to local member access.
Scope model
Scopes are workspace-scoped permissions attached to a token. Every MCP tool and REST API route declares the exact scopes it requires before the call is accepted.
*:readscopes allow listing, searching, and fetching workspace resources.*:writescopes allow creating or changing workspace resources and always produce audit events.settings:adminis reserved for workspace and token administration.- Agents should receive the smallest scope set needed for their workflow.
- Scopes do not bypass module enablement. A token with
support:writestill cannot call Support tools unless the Support module is enabled in that workspace.
OAuth MCP grants
Hosted OAuth MCP access starts from the signed-in user's Slab5 workspace role. Workspace owners and admins can optionally add an explicit OAuth MCP grant for a specific OAuth subject from the MCP Clients page.
Explicit OAuth grants can reduce access but cannot increase it. The effective OAuth MCP scopes are the intersection of the user's workspace role scopes, the grant scopes when a grant exists, and OAuth token permissions when the token includes them.
This lets an admin keep normal console access while limiting a hosted MCP client to the exact scopes needed for a workflow. For example, a user with broad workspace access can grant an OAuth-connected client only crm:read, crm:write, and tasks:write.
Destructive actions
Account and workspace deletion require explicit control-plane authorization and typed confirmation. Slab5 uses soft-delete or archive behavior where the schema supports it, and revokes credentials, MCP clients, workspace grants, and memberships before removing active access.
Owned Team deletion archives the team tenant and its local Slab5 access artifacts. Leaving a Team where the user is only a member removes the user's local membership without archiving the Team.
Workspace deletion is limited to users with owner/admin-level workspace administration. Member and readonly users do not see the workspace delete action.
Permissions and scopes table
The table below is rendered from the shared contract files. If a tool or route changes behavior, update packages/shared/contracts first and let the docs reflect the new contract.
Module scope inventory
| Module | Resources | Scopes | Status |
|---|---|---|---|
Activity Log activity_log | activities | activity:readactivity:write | MVP |
Tasks tasks | tasks | tasks:readtasks:write | MVP |
CRM crm | leads, lead_conversions, contacts, companies, deal_stages, deals, notes, invoices, payments, accounting_accounts, accounting_journal_entries | crm:readcrm:write | MVP |
Support support | support_queues, support_tickets, support_ticket_messages, support_ticket_comments | support:readsupport:write | MVP |
CMS cms | sites, collections, entries, revisions, marketing_campaigns, marketing_posts | cms:readcms:write | MVP |
Files, Media, and Content Storage assets | assets | assets:readassets:write | MVP |
Webhooks, Events, and Integrations integrations | integration_event_types, webhook_endpoints, webhook_deliveries | integrations:readintegrations:write | MVP |
Analytics Governance analytics_governance | events, properties, tracking_plans | analytics:readanalytics:write | MVP |
Product Analytics and BI product_analytics_bi | bi_dashboards, bi_reports, bi_datasets, bi_metrics, bi_queries, bi_exports, bi_scheduled_artifacts | bi:readbi:write | Experimental |
Tool and API scope map
| Module | MCP tool | API route | Required scopes | Status |
|---|---|---|---|---|
CRM MVP | create_contact Create a CRM contact in the current workspace. | POST /v1/contacts | crm:write | MVP |
CRM MVP | search_contacts Search contacts by name, email, company, or free-text query. | GET /v1/contacts | crm:read | MVP |
CRM MVP | create_company Create a company account in the CRM module. | POST /v1/companies | crm:write | MVP |
CRM MVP | search_companies Search company accounts by name, domain, or free-text query. | GET /v1/companies | crm:read | MVP |
CRM MVP | create_lead Create a CRM lead before it is converted into a contact, company, or deal. | POST /v1/leads | crm:write | MVP |
CRM MVP | list_leads List leads by status, source, search text, or custom field. | GET /v1/leads | crm:read | MVP |
CRM MVP | convert_lead Convert a lead into contact, company, and optionally deal records. | POST /v1/leads/{lead_id}/convert | crm:write | MVP |
CRM MVP | create_deal_stage Create a custom deal stage for the workspace pipeline. | POST /v1/deal-stages | crm:write | MVP |
CRM MVP | list_deal_stages List workspace deal stages, including custom stages. | GET /v1/deal-stages | crm:read | MVP |
CRM MVP | create_deal Create a deal associated with a company or contact. | POST /v1/deals | crm:write | MVP |
CRM MVP | update_deal_stage Move an existing deal to a new pipeline stage. Deprecated in favor of update_deal. | PATCH /v1/deals/{deal_id} | crm:write | Deprecated |
CRM MVP | update_deal Update deal stage, amount, or currency. | PATCH /v1/deals/{deal_id} | crm:write | MVP |
CRM MVP | create_invoice Create an invoice with product or service line items. | POST /v1/invoices | crm:write | MVP |
CRM MVP | list_invoices List invoices by status, customer, deal, or custom field. | GET /v1/invoices | crm:read | MVP |
CRM MVP | record_payment Record a payment against an invoice. | POST /v1/payments | crm:write | MVP |
CRM MVP | create_accounting_account Create a basic chart-of-accounts account. | POST /v1/accounting/accounts | crm:write | MVP |
CRM MVP | list_accounting_accounts List chart-of-accounts records. | GET /v1/accounting/accounts | crm:read | MVP |
CRM MVP | create_journal_entry Create a balanced accounting journal entry. | POST /v1/accounting/journal-entries | crm:write | MVP |
CRM MVP | list_journal_entries List accounting journal entries. | GET /v1/accounting/journal-entries | crm:read | MVP |
Tasks MVP | create_task Create a task for a user, agent, contact, company, or deal. | POST /v1/tasks | tasks:write | MVP |
Tasks MVP | list_tasks List tasks by status, assignee, due date, or related resource. | GET /v1/tasks | tasks:read | MVP |
Tasks MVP | complete_task Mark a task complete in the current workspace. Deprecated in favor of update_task. | PATCH /v1/tasks/{task_id} | tasks:write | Deprecated |
Tasks MVP | update_task Update a task status, including canceling or reopening it. | PATCH /v1/tasks/{task_id} | tasks:write | MVP |
Activity Log MVP | log_activity Record a workspace activity such as a note, call, email, meeting, or agent action. | POST /v1/activities | activity:write | MVP |
Activity Log MVP | search_activity Search activity records by text, type, date, or related resource. | GET /v1/activities | activity:read | MVP |
Support MVP | create_support_queue Create a support queue or inbox with default assignment and SLA targets. | POST /v1/support/queues | support:write | MVP |
Support MVP | list_support_queues List support queues by status, search text, or custom field. | GET /v1/support/queues | support:read | MVP |
Support MVP | create_support_ticket Create a support ticket linked to customers, CRM records, invoices, and SLA targets. | POST /v1/support/tickets | support:write | MVP |
Support MVP | list_support_tickets List support tickets by status, priority, queue, owner, customer links, search text, or custom field. | GET /v1/support/tickets | support:read | MVP |
Support MVP | update_support_ticket Update support ticket status, priority, queue, assignment, tags, category, SLA targets, or custom fields. | PATCH /v1/support/tickets/{ticket_id} | support:write | MVP |
Support MVP | add_support_ticket_message Add an inbound, outbound, or internal message to a support ticket conversation. | POST /v1/support/tickets/{ticket_id}/messages | support:write | MVP |
Support MVP | list_support_ticket_messages List conversation messages for a support ticket. | GET /v1/support/tickets/{ticket_id}/messages | support:read | MVP |
Support MVP | add_support_ticket_comment Add an internal note or pinned comment to a support ticket. | POST /v1/support/tickets/{ticket_id}/comments | support:write | MVP |
Support MVP | list_support_ticket_comments List internal comments and notes for a support ticket. | GET /v1/support/tickets/{ticket_id}/comments | support:read | MVP |
CMS MVP | create_collection Create a CMS collection that defines a content type for entries. | POST /v1/cms/collections | cms:write | MVP |
CMS MVP | create_cms_site Create a website or marketing site managed by the CMS. | POST /v1/cms/sites | cms:write | MVP |
CMS MVP | list_cms_sites List CMS-managed websites. | GET /v1/cms/sites | cms:read | MVP |
CMS MVP | create_entry Create a CMS entry in a collection. | POST /v1/cms/entries | cms:write | MVP |
CMS MVP | search_entries Search CMS entries by collection, status, title, or free-text query. | GET /v1/cms/entries | cms:read | MVP |
CMS MVP | update_entry_status Move a CMS entry between draft, review, published, and archived states. Deprecated in favor of update_entry. | PATCH /v1/cms/entries/{entry_id} | cms:write | Deprecated |
CMS MVP | update_entry Update a CMS entry title, fields, or publishing status and create a revision. | PATCH /v1/cms/entries/{entry_id} | cms:write | MVP |
CMS MVP | create_marketing_campaign Create a marketing campaign for website, blog, email, social, or paid channels. | POST /v1/marketing/campaigns | cms:write | MVP |
CMS MVP | list_marketing_campaigns List marketing campaigns by status, channel, or custom field. | GET /v1/marketing/campaigns | cms:read | MVP |
CMS MVP | create_marketing_post Create a social, blog, email, or website marketing post linked to an optional campaign or CMS entry. | POST /v1/marketing/posts | cms:write | MVP |
CMS MVP | list_marketing_posts List marketing posts by channel, status, campaign, or custom field. | GET /v1/marketing/posts | cms:read | MVP |
Files, Media, and Content Storage MVP | create_asset_upload_intent Register workspace asset metadata and create a signed upload URL. | POST /v1/assets | assets:write | MVP |
Files, Media, and Content Storage MVP | complete_asset_upload Mark an uploaded workspace asset as available after the client uploads the object to the signed URL. | POST /v1/assets/{asset_id}/complete | assets:write | MVP |
Files, Media, and Content Storage MVP | search_assets Search workspace asset metadata by text, type, status, or linked resource. | GET /v1/assets | assets:read | MVP |
Files, Media, and Content Storage MVP | get_asset_download_url Retrieve asset metadata with a signed download URL. | GET /v1/assets/{asset_id} | assets:read | MVP |
Files, Media, and Content Storage MVP | archive_asset Archive an asset in the current workspace without deleting its metadata. | DELETE /v1/assets/{asset_id} | assets:write | MVP |
Analytics Governance MVP | define_event Define an analytics event in the workspace tracking plan. | POST /v1/analytics/events | analytics:write | MVP |
Analytics Governance MVP | list_events List analytics event definitions in the workspace tracking plan. | GET /v1/analytics/events | analytics:read | MVP |
Analytics Governance MVP | define_property Define a reusable analytics property for the tracking plan. | POST /v1/analytics/properties | analytics:write | MVP |
Analytics Governance MVP | validate_event Validate an event payload against the workspace tracking plan. | POST /v1/analytics/events/validate | analytics:read | MVP |
Webhooks, Events, and Integrations MVP | list_integration_event_types List subscribable integration and webhook event types. | GET /v1/integrations/events | integrations:read | MVP |
Webhooks, Events, and Integrations MVP | register_integration_event_type Register a workspace-specific integration event type. | POST /v1/integrations/events | integrations:write | MVP |
Webhooks, Events, and Integrations MVP | create_webhook_endpoint Create a signed webhook endpoint subscription. | POST /v1/webhooks | integrations:write | MVP |
Webhooks, Events, and Integrations MVP | list_webhook_endpoints List workspace webhook endpoint subscriptions. | GET /v1/webhooks | integrations:read | MVP |
Webhooks, Events, and Integrations MVP | update_webhook_endpoint Update webhook endpoint configuration or lifecycle state. | PATCH /v1/webhooks/{webhook_id} | integrations:write | MVP |
Webhooks, Events, and Integrations MVP | send_test_webhook_event Queue a signed test delivery for a webhook endpoint. | POST /v1/webhooks/{webhook_id}/test | integrations:write | MVP |
Webhooks, Events, and Integrations MVP | list_webhook_deliveries List webhook delivery attempts and retry state. | GET /v1/webhooks/{webhook_id}/deliveries | integrations:read | MVP |
Product Analytics and BI Experimental | list_bi_dashboards List Product Analytics and BI dashboards in the current workspace. | GET /v1/bi/dashboards | bi:read | Experimental |
Product Analytics and BI Experimental | create_bi_dashboard Create a local, provider-neutral BI dashboard definition. | POST /v1/bi/dashboards | bi:write | Experimental |
Product Analytics and BI Experimental | list_bi_reports List BI reports, optionally filtered by dashboard or dataset. | GET /v1/bi/reports | bi:read | Experimental |
Product Analytics and BI Experimental | create_bi_report Create a local BI report definition linked to optional dashboard and dataset records. | POST /v1/bi/reports | bi:write | Experimental |
Product Analytics and BI Experimental | list_bi_datasets List local BI dataset definitions. | GET /v1/bi/datasets | bi:read | Experimental |
Product Analytics and BI Experimental | create_bi_dataset Create a provider-neutral dataset definition using local/mock metadata. | POST /v1/bi/datasets | bi:write | Experimental |
Product Analytics and BI Experimental | list_bi_metrics List workspace BI metric definitions. | GET /v1/bi/metrics | bi:read | Experimental |
Product Analytics and BI Experimental | create_bi_metric Create a workspace BI metric expression. | POST /v1/bi/metrics | bi:write | Experimental |
Product Analytics and BI Experimental | run_bi_query Run a BI query or built-in workspace dataset and optionally persist the query definition. | POST /v1/bi/queries/run | bi:write | Experimental |
Product Analytics and BI Experimental | create_bi_export Create a BI export artifact for a query or report. | POST /v1/bi/exports | bi:write | Experimental |
Product Analytics and BI Experimental | update_bi_object Update editable BI object metadata within the current workspace. | PATCH /v1/bi/{collection}/{id} | bi:write | Experimental |
Product Analytics and BI Experimental | archive_bi_object Archive a BI object in the current workspace. Export artifacts are expired. | DELETE /v1/bi/{collection}/{id} | bi:write | Experimental |
Workspace Available | get_workspace_assistant_summary Return safe workspace metadata summaries for the Workspace Assistant without exposing raw customer-owned content. | GET /v1/assistants/workspace/summary | data_agents:read | Available |
Workspace Available | create_workspace_assistant_run Run the billable Workspace Assistant against safe workspace metadata and summaries, recording AgentGrid logs, retrieval/tool records, cost events, and credit usage. | POST /v1/assistants/workspace/runs | data_agents:write | Available |
Workspace Available | create_slab5_guide_session Create a ChatKit-ready Slab5 Guide support session descriptor backed by Slab5-owned knowledge. | POST /v1/assistants/slab5-guide/sessions | data_agents:read | Available |
Workspace MVP | get_workspace_summary Return workspace metadata, enabled modules, and high-level usage context. | GET /v1/workspace | crm:readsupport:readtasks:readactivity:readcms:readassets:readintegrations:readanalytics:readbi:read | MVP |