Use this guide when a machine caller needs to inspect or replace direct permissions for projects, vaults, vault items, or other permission-managed assets.
The machine API already supports these flows. The missing piece was public documentation coverage.
machine.permissions.read / machine.permissions.writeADMIN access to the target assetTENANT_AGENT_MANAGER plus machine.agent.* so it can create or manage the child agent firstThe machine permissions routes accept these assetType values today:
PROJECTVAULTVAULT_ITEMLICENSE_INSTANCEENCRYPTION_KEYProject, vault, and vault-item permissions are the most common automation cases and are the focus of this guide.
| Endpoint | Method | Purpose |
|---|---|---|
/api/v1/machine/permissions/:id/access | GET | Inspect the current caller's effective access to one asset |
/api/v1/machine/permissions/:assetType/warning-message | GET | Read asset-type-specific permission caveats |
/api/v1/machine/permissions/security-groups | GET | List tenant security groups you can assign |
/api/v1/machine/permissions/tenant-members | GET | List tenant members you can assign |
/api/v1/machine/permissions/projects | GET | List projects for permission targets |
/api/v1/machine/permissions/agents | GET | List agents for permission targets |
/api/v1/machine/permissions/:assetType/:id/permissions | GET | Read the direct permission rows for one asset |
/api/v1/machine/permissions/:assetType/:id/resolved-access | GET | Read effective access including inherited sources |
/api/v1/machine/permissions/:assetType/:id/set-permissions | POST | Replace the direct permission rows for one asset |
set-permissions| Field | Type | Required | Description |
|---|---|---|---|
permissions | array | Yes | Complete replacement list of direct permission rows |
emailAlert | boolean | No | Whether to send an email alert for the share change |
Each permission entry uses:
| Field | Type | Required | Description |
|---|---|---|---|
id | string | Yes | Target entity ID |
name | string | Yes | Display name |
type | string | Yes | One of user, securityGroup, project, or agent |
avatar | number | null | No | Optional avatar identifier |
isDefault | boolean | null | No | Optional default-group flag |
access | string | Yes | READ, WRITE, or ADMIN |
set-permissions replaces the full direct-permission list. Include every row you want to keep.
Projects, vaults, and vault items all use the same request shape now. Submit the full replacement permissions array plus optional emailAlert.
curl -X POST "https://r4.dev/api/v1/machine/permissions/PROJECT/PROJECT_ID/set-permissions" \
-H "X-API-Key: YOUR_MACHINE_KEY" \
-H "Content-Type: application/json" \
-d '{
"permissions": [
{
"id": "MASTER_AGENT_ID",
"name": "Master Agent",
"type": "agent",
"avatar": null,
"isDefault": null,
"access": "ADMIN"
},
{
"id": "CHILD_AGENT_ID",
"name": "Child Agent",
"type": "agent",
"avatar": null,
"isDefault": null,
"access": "READ"
}
],
"emailAlert": false
}'Inspect the current direct rows:
curl "https://r4.dev/api/v1/machine/permissions/PROJECT/PROJECT_ID/permissions" \
-H "X-API-Key: YOUR_MACHINE_KEY"Inspect effective access, including inherited sources:
curl "https://r4.dev/api/v1/machine/permissions/PROJECT/PROJECT_ID/resolved-access" \
-H "X-API-Key: YOUR_MACHINE_KEY"Vault permission changes now use the same direct replacement payload as project permissions.
curl -X POST "https://r4.dev/api/v1/machine/permissions/VAULT/VAULT_ID/set-permissions" \
-H "X-API-Key: YOUR_MACHINE_KEY" \
-H "Content-Type: application/json" \
-d '{
"permissions": [
{
"id": "MASTER_AGENT_ID",
"name": "Master Agent",
"type": "agent",
"avatar": null,
"isDefault": null,
"access": "ADMIN"
},
{
"id": "CHILD_AGENT_ID",
"name": "Child Agent",
"type": "agent",
"avatar": null,
"isDefault": null,
"access": "READ"
}
],
"emailAlert": false
}'Vault-item permissions use the same route pattern and the same direct replacement request body as vault and project permissions:
POST /api/v1/machine/permissions/VAULT_ITEM/:id/set-permissionsImportant caveat:
You can read that caveat programmatically through:
curl "https://r4.dev/api/v1/machine/permissions/VAULT_ITEM/warning-message" \
-H "X-API-Key: YOUR_MACHINE_KEY"Example vault-item permission update:
curl -X POST "https://r4.dev/api/v1/machine/permissions/VAULT_ITEM/VAULT_ITEM_ID/set-permissions" \
-H "X-API-Key: YOUR_MACHINE_KEY" \
-H "Content-Type: application/json" \
-d '{
"permissions": [
{
"id": "CHILD_AGENT_ID",
"name": "Child Agent",
"type": "agent",
"avatar": null,
"isDefault": null,
"access": "READ"
}
],
"emailAlert": false
}'Unlike other asset types, VAULT_ITEM direct permissions can be set to an empty array when you need to remove item-only direct grants and rely only on inherited parent-vault access.
These helper endpoints are useful when your runtime needs to build or validate a new permission set before calling set-permissions:
GET /api/v1/machine/permissions/security-groupsGET /api/v1/machine/permissions/tenant-membersGET /api/v1/machine/permissions/projectsGET /api/v1/machine/permissions/agentsset-permissionsFor agent creation and lifecycle operations, see Agent Orchestration.