Skip to main content

Welcome

The Bedrock API provides a comprehensive authorization and access control system. It enables you to manage subjects (users, API keys, services, agents), scopes (organizational hierarchies), roles, permissions, resources, tags, and fine-grained access control through overrides.

ID Format

All entity IDs use a namespaced UUIDv7 format for easy identification and sorting: 
{namespace}_{uuidv7}
NamespaceEntity
subjectSubjects (users, agents, etc.)
scopeScopes
scope_typeScope Types
roleRoles
permissionPermissions
resourceResources
resource_typeResource Types
tagTags
tag_groupTag Groups
You can provide your own IDs when creating entities. This is useful for batch operations where you need to reference entities within the same request.

Core Concepts

Subjects

Users, API keys, services, or agents that can be granted access

Scopes

Hierarchical organizational units (orgs, teams, projects)

Roles

Named collections of permissions assignable to memberships

Permissions

Granular access rights (e.g., read:documents, write:documents)

Resources

Protected objects with types and hierarchies

Tags

Flexible metadata and categorization

How It Works

  1. Subjects are added to Scopes via Memberships
  2. Roles are assigned to Memberships via Role Assignments
  3. Permissions are assigned to Roles via Role Permissions
  4. Resources are created within Scopes with Resource Types
  5. Tags can be applied to resources, subjects, and other entities
  6. Scope Overrides allow fine-tuning inherited roles/permissions at child scopes

Batch Operations

Most create endpoints support batch operations via a /batch suffix. Batch requests:
  • Accept an array of objects
  • Support client-provided IDs for in-batch references
  • Validate ID uniqueness within the batch
  • Return an array of created entities
# Example: Create multiple scopes in one request
curl -X POST 'https://api.example.com/scopes/batch' \
  -H 'Authorization: Bearer YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '[
    {"id": "scope_org", "typeId": "scope_type_org", "name": "Acme"},
    {"id": "scope_team", "typeId": "scope_type_team", "name": "Engineering"}
  ]'

Authentication

All API endpoints require Bearer token authentication. 
curl -X GET 'https://api.example.com/subjects/sub_123' \
  -H 'Authorization: Bearer YOUR_TOKEN'

Base URL

https://api.example.com

API Groups

Core Authorization

GroupDescription
SubjectsManage users, API keys, services, and agents
MembershipsAdd/remove subjects from scopes
RolesDefine roles within scopes
Role AssignmentsAssign roles to memberships
PermissionsDefine permissions within scopes
Role PermissionsMap permissions to roles
ScopesManage organizational hierarchy nodes
Scope TypesDefine types of scopes (org, team, project)
Scope HierarchyManage parent-child scope relationships
Scope Type HierarchyDefine valid type relationships
Scope OverridesOverride inherited roles/permissions at child scopes
Resource TypesDefine categories of protected resources
ResourcesManage protected objects within scopes

Tags & Classification

GroupDescription
Tag GroupsDefine categories of tags
TagsCreate tags within groups
Tag BindingsControl which models can use which tag groups
Tag AssignmentsAssign tags to resources, subjects, etc.

Management Models (Bedrock Cloud)

GroupDescription
TenantsCustomer accounts with billing and limits
WorkspacesLogical groupings within tenants
ProjectsApplications or services within workspaces
EnvironmentsDeployment stages (prod, staging, dev)
UsersHuman users with IDP integration
API KeysProgrammatic access credentials