Security and access

Blobify access control is organization-based and space-aware.

Every member and API key is scoped by:

  • role
  • spaces

The permission model is intentionally simple so teams and automation use the same mental model.

Members

Members are scoped by:

  • role
  • spaces

API keys

API keys are scoped by:

  • role
  • spaces

High-level rules

Admin-only

  • org settings
  • S3 config
  • invites
  • member management
  • dangerous org actions

Editor-or-higher

  • content create, update, publish, unpublish, archive, restore, and permanent delete from the archive
  • asset create, update, delete

Developer-or-admin required

  • model and block changes
  • schema import
  • rebuild operations
  • routing publish
  • API key management
  • webhook management

Notes

  • Space-scoped routes validate the requested spaceId.
  • API keys and members follow the same role and space model.
  • Schema management is role-based through developer and admin.
  • Viewer access is read-only. Content and asset mutations require editor or higher.