Security & Access
Blobify access control is organization-based and space-aware.
Every member and API key is scoped by:
- role
- spaces
The permission model is intentionally simple so teams and automation use the same mental model.
Members
Members are scoped by:
- role
- spaces
API keys
API keys are scoped by:
- role
- spaces
High-level rules
Admin-only
- org settings
- S3 config
- invites
- member management
- API key management
- dangerous org actions
- webhook management
Editor-or-higher
- content create, update, publish, unpublish, delete
- asset create, update, delete
Developer-or-admin required
- model and block changes
- schema import
- rebuild operations
- routing publish
Notes
- Space-scoped routes validate the requested
spaceId. - API keys and members follow the same role and space model.
- Schema management is role-based through
developerandadmin.