Ask HN: Roles as Endpoints or Scoped Roles for an API?
Hi, I'm creating an API and wanting some suggestions or feedback on how roles should be addressed. Currently the system has four roles (responder, dispatcher, regionaladmin, admin). They all have access to only specific portions of the API.
Example of Roles as Endpoints:
Responders can get events (assigned to them) but not post.
GET /v1/responders/events
Dispatchers can get and post events GET /v1/dispatchers/events
POST /v1/dispatchers/events
Example of Scoped Roles: GET /v1/events
POST /v1/events
JSON Web Token with Scopes: Dispatcher
{scopes: [events:read, events:create]}
Responder
{scopes: [events:read]}
Which one of these would be better or more flexible?
1 comment
[ 323 ms ] story [ 1349 ms ] threadOT: You got me curious how all this works under the hood now.