Roles and Permissions

Role-based access control: OWNER, OPERATIONS, and DEVELOPER roles, permissions matrix, and security challenges.

Roles & Permissions

UrbanPayX uses role-based access control to determine what each team member — or API token — can do. Every authenticated request carries a role, and the API enforces permissions at the endpoint level.


The three roles

RoleDescriptionWho has it
OWNERFull access. Can manage team members, configure security settings, and perform all operations.The account creator. Additional owners can be promoted by an existing owner.
OPERATIONSCan manage OpCos, projects, payments, KYC, and billing. Cannot manage team members or webhook configuration.Team members assigned this role. Also the default role for API key tokens.
DEVELOPERCan manage webhooks, client settings, and view transactions. Cannot create payments or manage KYC.Team members assigned this role. Intended for developers handling integration setup.


Permissions matrix

ActionOWNEROPERATIONSDEVELOPER
OpCos
Create / update / submit OpCoYY
List / view OpCosYYY
Projects
Create / update projectYY
List / view projectsYYY
Payments / Transactions
Generate payment linkYY
Refresh transaction statusYY
Export transactionsYY
List / view transactionsYYY
KYC / Users
Create usersYY
Initiate KYC verificationYY
Update external verification statusYY
Bulk user operationsYY
List / view user KYC statusYYY
Webhooks
Manage webhook subscriptionsYY
Rotate webhook secretYY
Send test webhookYY
View webhook events/subscription/deliveriesYYY
Configuration
Update client settings (/auth/client/settings)YY
Team management
Add / update / delete team membersY
Change member rolesY
Reset member passwordsY
Security / MFA
Rotate API keyYY
Configure client MFA defaultsYY
Manage own MFA (enroll/confirm/disable TOTP, update own MFA settings)YYY
Billing
View invoicesYY
Support tickets
Create / view / reply / close ticketsYYY
Account
View client profile (/auth/client/me)YYY
View own team account (/auth/team/accounts/me)YYY


API key tokens vs dashboard tokens

API key token (POST /api/v1/auth/api-token)Dashboard token (POST /api/v1/auth/login)
Actor typeclient_api (default)client_user
RoleDefault: developer. If a valid dashboard bearer token is also provided, role is inherited from that account.Role of logged-in team member
Access token TTL7 days30 minutes
Refresh tokenNot issuedIssued (30 days)
MFANot applicableFull MFA support


What happens when you lack permission

If your token role does not have permission for an endpoint, the API returns:

HTTP 403 Forbidden
{
  "detail": "Insufficient permissions for this action"
}

Some endpoints also require a dashboard token specifically (not an API key token):

HTTP 403 Forbidden
{
  "detail": "This action requires a dashboard account token"
}

Sensitive actions and security challenges

Certain high-impact operations require an additional security verification step, regardless of your role. These include:

  • Rotating your API key and secret
  • Adding team members
  • Disabling TOTP

The flow works like this:

1. Request a security code:

POST /api/v1/auth/security/request-code

This sends a one-time code to your email (or you can use your TOTP authenticator app).

2. Include the security headers in the sensitive request:

X-Security-Token: <challenge_token_from_step_1>
X-Security-Code: <the_code_you_received>
X-Security-Method: email   (or "totp" if using authenticator)

Security codes expire after 5 minutes.


Choosing the right role for your team

OWNER — For founders, CTOs, or anyone who needs full control. Every account needs at least one active OWNER (the API prevents deleting or demoting the last one).

OPERATIONS — For team members who handle day-to-day payment operations: creating OpCos, managing users, generating payment links, viewing billing. This is also what your server-to-server integration gets automatically via API key.

DEVELOPER — For engineers setting up the integration: configuring webhooks, updating client settings (callback URL, webhook URL), and monitoring transactions. Developers cannot create payments — that is by design, to separate integration setup from payment operations.


Related guides