Dashboard

Roles & Permissions (RBAC)

VerifyHuman uses role-based access control to govern what each member of your organization can do. Every member is assigned exactly one role within an organization.

Roles

The following six roles are seeded in every organization:

Slug Role Intended for Summary
owner Owner Founders, account holder Full organization control. Holds every permission, including transfer and deletion.
admin Admin Team leads, ops Manage members, API keys, webhooks, branding, audit logs; view billing. Cannot manage billing or transfer the org.
developer Developer Engineers, integrators Create and rotate API keys, manage webhooks, view verifications and reports. No member-management or billing access.
compliance_analyst Compliance Analyst Auditors, compliance reviewers Read and export verifications, reports, and audit logs. No write access.
billing_admin Billing Admin Finance Read and manage billing/subscriptions; read reports. No verification access.
read_only Read Only Support, sit-in users Limited read access to members, API keys, verifications, reports, and billing. No exports, no writes.

Each organization always has at least one Owner.

Permission catalog

Permissions are grouped by resource. Roles are composed from these permissions.

Organization & members

Permission Owner Admin Developer Compliance Billing Read Only
org.members.read
org.members.invite
org.members.update
org.members.remove
org.roles.manage — assign roles

API keys

Permission Owner Admin Developer Compliance Billing Read Only
api_keys.read
api_keys.create
api_keys.rotate
api_keys.revoke

Verifications & reports

Permission Owner Admin Developer Compliance Billing Read Only
verification.read
verification.export
reports.read
reports.export

Billing

Permission Owner Admin Developer Compliance Billing Read Only
billing.read
billing.manage — change plan, buy credits

Webhooks

Permission Owner Admin Developer Compliance Billing Read Only
webhooks.read
webhooks.manage — create/edit/delete, replay

Branding & audit

Permission Owner Admin Developer Compliance Billing Read Only
branding.manage — hosted-flow theming
audit_logs.read

The Owner role implicitly receives every permission seeded in the catalog, including any new permissions added in future releases.

API key scopes

API keys are an independent authorization layer that sits alongside roles. A user with api_keys.create can mint keys, but the key itself is bound to a scope that restricts which products it can call.

Scope Allows calls to
verifyhuman /api/verify, /api/mobile/v1/verifyhuman/*
verifyage /api/v1/verify-age/*, /api/mobile/v1/verifyage/*
identity / kyc /api/identity/v1/*, /api/kyc/v1/submit, /api/mobile/v1/verifyidentity/*
kyc_plus /api/kyc/v1/submit_plus, /api/kyc/v1/generate_report, /api/mobile/v1/verifycompliance/*
hybrid All product surfaces (use for trusted server-to-server backends only)

A request to a product the key is not scoped for returns 403 Forbidden.

See API keys & scopes for the full key lifecycle.

Changing a member's role

Members with org.roles.manage (Owners and Admins) can change another member's role from Settings → Members. The change takes effect on the member's next request — there is no need for the member to sign out and back in. Owners cannot demote themselves if they are the last Owner.

Role changes are recorded in your audit log with the old role, the new role, the actor, and the target.

SSO-provisioned users

When a user is created via SSO JIT provisioning, they receive the default member role configured for the organization (typically read_only or developer). Their role can be changed at any time afterward.

Best practices