Access reference
WarmHub access composes from your org role and the scopes that narrow it. Your role sets the ceiling on what you can do; a personal access token’s scopes narrow a token to a subset of that ceiling; and an org admin can attach member scope overrides that narrow a member below their role on a given org or repo. A request is allowed only when your role permits it and every scope layer that applies to it covers it. This page is the canonical map of role → capability, scope → capability, and task → minimum scope.
Roles and capabilities
Section titled “Roles and capabilities”Every member of an org has one role: viewer, editor, admin, or owner. Roles are cumulative — each includes everything the one before it can do. This table answers “what can an admin do that an editor can’t?”:
| Capability | viewer | editor | admin | owner |
|---|---|---|---|---|
Read repositories, things, assertions, and shapes (repo:read) | ✓ | ✓ | ✓ | ✓ |
Read the org profile, members, and installed components (org:read) | ✓ | ✓ | ✓ | ✓ |
Write — create, update, and rename things and shapes (repo:write) | ✓ | ✓ | ✓ | |
Configure repos — subscriptions, credentials, actions, notifications, repo settings (repo:configure) | ✓ | ✓ | ||
Administer repos — delete, archive, change visibility (repo:admin) | ✓ | ✓ | ||
Configure the org — create repos, manage members, org settings, install components (org:configure) | ✓ | ✓ | ||
Administer the org — rename, archive (org:admin) | ✓ |
Owner and admin grant the same repository access; they differ only at the org level — only an owner can rename or archive the org. Member management has one further owner-only carve-out within org:configure: only an owner can assign or remove the owner role, and the last owner can’t be removed or demoted. Admins manage all other members and roles.
Scopes and what they grant
Section titled “Scopes and what they grant”A token scope binds a resource to one or more of these permissions. Scopes are independent — repo:write does not include repo:read — and can only narrow access, never raise it above your role.
| Scope | Grants |
|---|---|
repo:read | Read repositories, queries, things, and shapes |
repo:write | Writes, shape mutations, and thing/shape renames |
repo:configure | Subscriptions, credentials, action runs, notifications, and repo settings |
repo:admin | Delete, archive, and change repository visibility |
org:read | Read the org profile and members, see installed components, and list the org’s repositories — including private ones — in org-level views; reading a repo’s contents still needs repo:read |
org:configure | Create repos, manage members and org settings, and install and manage components |
org:admin | Rename and archive the org |
Minimum scope by task
Section titled “Minimum scope by task”The minimum scope a token needs for each common task. Anything not listed for a scope is not covered by it — request the narrowest scope that covers your task.
| Task | Minimum scope |
|---|---|
| Read things, assertions, shapes, or write history | repo:read |
| Submit a write (create or rename things and shapes) | repo:write |
| Read notifications | repo:configure |
| Create, update, pause, or remove a subscription | repo:configure |
| Read, lease, or deliver actions | repo:configure |
| Manage credentials — create, bind, grant, revoke | repo:configure |
| Rename a repo or change its settings | repo:configure |
| Delete, archive, or change a repo’s visibility | repo:admin |
| Read an org profile or list its members | org:read |
| Read installed components | org:read |
| Create a repo in an org | org:configure |
| Add, remove, or change a member’s role (assigning or removing owner requires owner) | org:configure |
| Install or manage a component | org:configure |
| Change org settings | org:configure |
| Rename or archive an org | org:admin |
Scopes are checked against your role: a token can carry repo:write, but the write still fails if your role is viewer. Use the role:<name> shorthand to mint a token that mirrors a whole role at once.
Hit a problem or have a question? Get in touch.