
Ask HN: Roles as Endpoints or Scoped Roles for an API? - crisopolis
Hi, I&#x27;m creating an API and wanting some suggestions or feedback on how roles should be addressed. Currently the system has four roles (responder, dispatcher, regionaladmin, admin). They all have access to only specific portions of the API.<p>Example of Roles as Endpoints:<p>Responders can get events (assigned to them) but not post.<p><pre><code>  GET  &#x2F;v1&#x2F;responders&#x2F;events
</code></pre>
Dispatchers can get and post events<p><pre><code>  GET  &#x2F;v1&#x2F;dispatchers&#x2F;events
  POST &#x2F;v1&#x2F;dispatchers&#x2F;events
</code></pre>
Example of Scoped Roles:<p><pre><code>  GET  &#x2F;v1&#x2F;events
  POST &#x2F;v1&#x2F;events
</code></pre>
JSON Web Token with Scopes:<p><pre><code>  Dispatcher
    {scopes: [events:read, events:create]}

  Responder
    {scopes: [events:read]}
</code></pre>
Which one of these would be better or more flexible?
======
fdim
Design wise, I would definitely go with scopes. You would have one common API,
just different requirements to make the calls.

OT: You got me curious how all this works under the hood now.

