Use this endpoint to retrieve the complete list of permissions available on the Shogun platform. Each permission represents a specific capability — such as initiating a transfer or viewing account balances — and is identified by a unique code string. You supply these codes in the permission_codes field when you create or update a role.
Endpoint
POST /api/v1/auth/web/fetch_permissions
Authentication
This endpoint requires a valid Dashboard JWT. Pass the token in the Authorization header:
Authorization: Bearer <access_token>
Request Body
No request body is required. You may send an empty JSON object {} or omit the body entirely.
Response
{
"status": true,
"response_code": "00",
"message": "Permissions fetched successfully",
"data": [
{
"id": "p1a2b3c4-d5e6-7890-abcd-ef0123456789",
"code": "transfer.initiate",
"name": "Initiate Transfer",
"description": "Allows the user to initiate a fund transfer from an account."
},
{
"id": "p2b3c4d5-e6f7-8901-bcde-f01234567890",
"code": "account.view",
"name": "View Accounts",
"description": "Allows the user to view account details and balances."
}
]
}
| Field | Type | Description |
|---|
id | UUID | Unique identifier for the permission |
code | string | The permission code string used when assigning permissions to roles |
name | string | Human-readable name of the permission |
description | string | Explanation of what this permission enables |
Example
curl -X POST https://baasapi.payrepmfb.com/api/v1/auth/web/fetch_permissions \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{}'
Build least-privilege roles by selecting only the specific permissions each team member needs. For example, a member who only reviews transactions should have transaction.view but not transfer.initiate or transfer.approve. Combining a narrow set of permissions per role reduces the blast radius of any compromised account.
