Ask HN: Roles as Endpoints or Scoped Roles for an API?

1 points by crisopolis ↗ HN
Hi, I'm creating an API and wanting some suggestions or feedback on how roles should be addressed. Currently the system has four roles (responder, dispatcher, regionaladmin, admin). They all have access to only specific portions of the API.

Example of Roles as Endpoints:

Responders can get events (assigned to them) but not post.

  GET  /v1/responders/events
Dispatchers can get and post events

  GET  /v1/dispatchers/events
  POST /v1/dispatchers/events
Example of Scoped Roles:

  GET  /v1/events
  POST /v1/events
JSON Web Token with Scopes:

  Dispatcher
    {scopes: [events:read, events:create]}

  Responder
    {scopes: [events:read]}
Which one of these would be better or more flexible?

1 comment

[ 323 ms ] story [ 1349 ms ] thread
Design wise, I would definitely go with scopes. You would have one common API, just different requirements to make the calls.

OT: You got me curious how all this works under the hood now.