Skip to main content
Permissions enable you to control access to the API on a granular basis (following the principle of least privilege). As an example, if you have an employee who needs to initiate payments, but shouldn’t be able to manipulate policies, you can do that. Start by Creating a Permission with some allowed operations in it, and Assign it to a User.

​
Terminology

  • Permission - a Permission contains a set of Operations, and can be assigned to users (or Service-Accounts). When assigned to a user, a Permission allows him to perform these operations in our API. Each created Permission has a unique name, and unique ID. A Permission can be assigned to one user, or to multiple users, depending on what you need.
  • Operation - an operation can be added to a Permission, and grants access to one action in the API. There is a fixed list of operations (see below) that you can include in Permissions. Every API endpoint requires one (or several) operations to use it. Eg. the endpoint Create Wallet is the operation Wallets:Create.
  • Assignment - or β€œPermission Assignment”, is the assignment of a given Permission to a given User (or Service Account). A permission can be assigned to a User (aka β€œgranted”), or un-assigned from him (aka β€œrevoked”).

​
Dfns-managed Permissions

When your Dfns organisation is created, some Permissions already exist in it. They are special, some of them are automatically assigned, and some of them are immutable (cannot be updated or archived).

​
ManagedFullAdminAccess

This Permission is automatically assigned to the first User of the Organisation. It includes all existing (and future) operations available in Dfns API. It’s immutable, so you cannot update it or archive it. You can only assign it or revoke it.

​
ManagedDefaultEndUserAccess

This unique Permission is assigned by default to any new EndUser in your organisation, and comes with an initial set of operations (which you can update at any time) allowing any EndUser to β€œdo stuff with the wallet he owns” by default.
Regardless of permissions, an EndUser can only access wallets delegated to them. This permission does not allow end-users to access your organization’s wallets. See Wallet Visibility below.
This permission is meant to facilitate end-user permission management. Since all your end users have this permission assigned by default, you don’t necessarily need to explicitly grant them other permissions to allow them to use their wallets, and you only need to modify this one permission to affect all your end users at once. This permission is not immutable, and you still have full-control over it (update operations in it, un-assign it, deactivate it, though these last two are probably edge-cases)

​
User types

Dfns supports three types of identities, each designed for different use cases:
TypeDescriptionTypical use
CustomerEmployeeYour team membersDashboard access, wallet management
EndUserYour end customersNon-custodial delegated wallets
Service AccountMachine identityAutomation, server-to-server API calls

​
Comparison matrix

CapabilityCustomerEmployeeEndUserService Account
Wallet visibilityAll org walletsOnly delegated walletsAll org wallets
Dashboard accessYesNoNo
Policy coverageYesNo (bypassed)Yes
Can hold credentialsYes (passkeys, keys)Yes (passkeys, keys)Yes (keys only)
Created viaDashboard or APIDelegated registrationService Account API

​
Wallet visibility

The wallets a user can see depends on their user type:
User TypeWallet Visibility
CustomerEmployeeAll wallets in the organization
EndUserOnly wallets delegated to them
Service AccountAll wallets in the organization
CustomerEmployee users are your team members who access the Dfns dashboard and manage wallets on behalf of your organization. When granted Wallets:Read, they can see all org-managed wallets. This enables shared visibility across your team for operational purposes. EndUser accounts are for your end customers using delegated wallets. Each EndUser can only access wallets that have been delegated to them - they cannot see other users’ wallets or your organization’s wallets. This isolation is enforced at the platform level, regardless of permissions. Service Accounts are machine identities for server-to-server API calls. They can access all organization wallets (when granted appropriate permissions) and are commonly used for automation workflows.
Delegated wallets strictly belong to the EndUser they are delegated to. No one else in the organization can access or manage them - this includes policies, which do not apply to delegated wallets. Only the EndUser can sign transactions for their wallets.
If you need per-user wallet isolation, use EndUser accounts with delegated wallets. Each user will only see and control their own wallets.

​
Permission assignment

To assign permissions to users, you need the Permissions:Assign permission. You can also create policies on Permissions:Assign activity to require approval for permission changes.

​
List of Permission Operations

​
Agreements:Acceptance:Create

  • Record agreement acceptance (POST/agreements/{agreementId}/accept – doc)

​
Agreements:Acceptance:Read

  • Get latest unaccepted agreement (GET/agreements/latest-unaccepted – doc)

​
Allocations:Create

  • Create allocation (POST/allocations – doc)

​
Allocations:Read

  • List allocations (GET/allocations – doc)
  • List allocation actions (GET/allocations/{allocationId}/actions – doc)
  • Get allocation (GET/allocations/{allocationId} – doc)

​
Allocations:Update

  • Create allocation action (POST/allocations/{allocationId}/actions – doc)

​
Auth:Login:Delegated

  • Delegated login (POST/auth/login/delegated – doc)

​
Auth:Logs:Read

  • List audit logs (GET/auth/action/logs – doc)
  • Get audit log (GET/auth/action/logs/{id} – doc)

​
Auth:Pats:Create

  • Create personal access token (POST/auth/pats – doc)

​
Auth:Recover:Delegated

  • Create delegated recovery challenge (POST/auth/recover/user/delegated – doc)

​
Auth:Register:Delegated

  • Create delegated registration challenge (POST/auth/registration/delegated – doc)

​
Auth:ServiceAccounts:Activate

  • Activate service account (PUT/auth/service-accounts/{serviceAccountId}/activate – doc)

​
Auth:ServiceAccounts:Create

  • Create service account (POST/auth/service-accounts – doc)

​
Auth:ServiceAccounts:Deactivate

  • Deactivate service account (PUT/auth/service-accounts/{serviceAccountId}/deactivate – doc)

​
Auth:ServiceAccounts:Delete

  • Delete service account (DEL/auth/service-accounts/{serviceAccountId} – doc)

​
Auth:ServiceAccounts:Read

  • List service accounts (GET/auth/service-accounts – doc)
  • Get service account (GET/auth/service-accounts/{serviceAccountId} – doc)

​
Auth:ServiceAccounts:Update

  • Update service account (PUT/auth/service-accounts/{serviceAccountId} – doc)

​
Auth:Users:Activate

  • Activate user (PUT/auth/users/{userId}/activate – doc)

​
Auth:Users:Create

  • Create user (POST/auth/users – doc)

​
Auth:Users:Deactivate

  • Deactivate user (PUT/auth/users/{userId}/deactivate – doc)

​
Auth:Users:Delete

  • Delete user (DEL/auth/users/{userId} – doc)

​
Auth:Users:Read

  • Get user (GET/auth/users/{userId} – doc)
  • List users (GET/auth/users – doc)

​
Auth:Users:Update

  • Update user (PUT/auth/users/{userId} – doc)

​
Exchanges:Create

  • Create exchange (POST/exchanges – doc)

​
Exchanges:Delete

  • Delete exchange (DEL/exchanges/{exchangeId} – doc)

​
Exchanges:Deposits:Create

  • Create exchange deposit (POST/exchanges/{exchangeId}/accounts/{accountId}/deposits – doc)

​
Exchanges:Read

  • Get exchange (GET/exchanges/{exchangeId} – doc)
  • List exchanges (GET/exchanges – doc)
  • List accounts (GET/exchanges/{exchangeId}/accounts – doc)
  • List account assets (GET/exchanges/{exchangeId}/accounts/{accountId}/assets – doc)
  • List asset withdrawal networks (GET/exchanges/{exchangeId}/accounts/{accountId}/assets/{asset}/withdrawal-networks – doc)

​
Exchanges:Withdrawals:Create

  • Create exchange withdrawal (POST/exchanges/{exchangeId}/accounts/{accountId}/withdrawals – doc)

​
FeeSponsors:Create

  • Create fee sponsor (POST/fee-sponsors – doc)

​
FeeSponsors:Delete

  • Delete fee sponsor (DEL/fee-sponsors/{feeSponsorId} – doc)

​
FeeSponsors:Read

  • List fee sponsors (GET/fee-sponsors – doc)
  • Get fee sponsor (GET/fee-sponsors/{feeSponsorId} – doc)
  • List sponsored fees (GET/fee-sponsors/{feeSponsorId}/fees – doc)

​
FeeSponsors:Update

  • Deactivate fee sponsor (PUT/fee-sponsors/{feeSponsorId}/deactivate – doc)
  • Activate fee sponsor (PUT/fee-sponsors/{feeSponsorId}/activate – doc)

​
FeeSponsors:Use

  • Sign and broadcast transaction (POST/wallets/{walletId}/transactions – doc) Required if feeSponsorId is specified
  • Transfer asset (POST/wallets/{walletId}/transfers – doc) Required if feeSponsorId is specified

​
KeyStores:Read

  • List key stores (GET/key-stores – doc)

​
Keys:ChildKeys:Create

  • Create key (POST/keys – doc) Required if deriveFrom is specified

​
Keys:Create

  • Create key (POST/keys – doc)
  • Create wallet (POST/wallets – doc) Required if wallet creation also creates a new Key entity. This is the default behavior

​
Keys:Delegate

  • Create key (POST/keys – doc) Required if delegateTo is specified
  • Delegate key (POST/keys/{keyId}/delegate – doc)
  • Create wallet (POST/wallets – doc) Required if delegateTo is specified

​
Keys:Delete

  • Delete key (DEL/keys/{keyId} – doc)

​
Keys:Derive

  • Derive key (POST/keys/{keyId}/derive – doc)

​
Keys:Export

  • Export key (POST/keys/{keyId}/export – doc)

​
Keys:Import

  • Import key (POST/keys/import – doc)
  • Import wallet (POST/wallets/import – doc)

​
Keys:Read

  • List keys (GET/keys – doc)
  • Get key (GET/keys/{keyId} – doc)

​
Keys:Reuse

  • Create wallet (POST/wallets – doc) Required if signingKey.id is specified. Wallet will reuse an existing key instead of creating a new one

​
Keys:Signatures:Create

  • Generate signature (POST/keys/{keyId}/signatures – doc)

​
Keys:Signatures:Read

  • List signatures (GET/keys/{keyId}/signatures – doc)
  • Get signature (GET/keys/{keyId}/signatures/{signatureId} – doc)

​
Keys:Update

  • Update key (PUT/keys/{keyId} – doc)

​
Networks:CantonValidators:Create

  • Create canton validator (POST/networks/{network}/validators – doc)

​
Networks:CantonValidators:Delete

  • Delete canton validator (DEL/networks/{network}/validators/{validatorId} – doc)

​
Networks:CantonValidators:Read

  • Get canton validator (GET/networks/{network}/validators/{validatorId} – doc)
  • List canton validators (GET/networks/{network}/validators – doc)

​
Networks:CantonValidators:Update

  • Update canton validator (PUT/networks/{network}/validators/{validatorId} – doc)

​
Permissions:Archive

  • Delete permission (PUT/permissions/{permissionId}/archive – doc)

​
Permissions:Assign

  • Assign permission (POST/permissions/{permissionId}/assignments – doc)

​
Permissions:Assignments:Read

  • List permission assignments (GET/permissions/{permissionId}/assignments – doc)

​
Permissions:Create

  • Create permission (POST/permissions – doc)

​
Permissions:Read

  • List permissions (GET/permissions – doc)
  • Get permission (GET/permissions/{permissionId} – doc)

​
Permissions:Revoke

  • Revoke permission (DEL/permissions/{permissionId}/assignments/{assignmentId} – doc)

​
Permissions:Update

  • Update permission (PUT/permissions/{permissionId} – doc)

​
Policies:Approvals:Approve

  • Create approval decision (POST/v2/policy-approvals/{approvalId}/decisions – doc)

​
Policies:Approvals:Read

  • Get approval (GET/v2/policy-approvals/{approvalId} – doc)
  • List approvals (GET/v2/policy-approvals – doc)

​
Policies:Archive

  • Delete policy (DEL/v2/policies/{policyId} – doc)

​
Policies:Create

  • Create policy (POST/v2/policies – doc)

​
Policies:Read

  • Get policy (GET/v2/policies/{policyId} – doc)
  • List policies (GET/v2/policies – doc)

​
Policies:Update

  • Update policy (PUT/v2/policies/{policyId} – doc)

​
Signers:ListSigners

  • List signers (GET/signers – doc)

​
Stakes:Create

  • Create stake (POST/staking/stakes – doc)

​
Stakes:Read

  • List stakes (GET/staking/stakes – doc)
  • List stake actions (GET/staking/stakes/{stakeId}/actions – doc)
  • Get stakes (GET/staking/stakes/{stakeId} – doc)
  • Get stake rewards (GET/staking/stakes/{stakeId}/rewards – doc)

​
Stakes:Update

  • Create stake action (POST/staking/stakes/{stakeId}/actions – doc)

​
Swaps:Create

  • Create swap (POST/swaps – doc)

​
Swaps:Read

  • List swaps (GET/swaps – doc)
  • Get swap (GET/swaps/{swapId} – doc)

​
Wallets:Create

  • Activate wallet (POST/wallets/{walletId}/activate – doc)
  • Create wallet (POST/wallets – doc)
  • Import wallet (POST/wallets/import – doc)

​
Wallets:Offers:Read

  • Get offer (GET/wallets/{walletId}/offers/{offerId} – doc)
  • List offers (GET/wallets/{walletId}/offers – doc)

​
Wallets:Offers:Settle

  • Accept offer (PUT/wallets/{walletId}/offers/{offerId}/accept – doc)
  • Reject offer (PUT/wallets/{walletId}/offers/{offerId}/reject – doc)

​
Wallets:Read

  • List wallets (GET/wallets – doc)
  • Get wallet (GET/wallets/{walletId} – doc)
  • Get wallet assets (GET/wallets/{walletId}/assets – doc)
  • Get wallet history (GET/wallets/{walletId}/history – doc)
  • Get wallet nfts (GET/wallets/{walletId}/nfts – doc)
  • List org wallet history (GET/wallets/all/history – doc)

​
Wallets:Tags:Add

  • Create wallet (POST/wallets – doc) Required if tags are specified
  • Tag wallet (PUT/wallets/{walletId}/tags – doc)

​
Wallets:Tags:Delete

  • Untag wallet (DEL/wallets/{walletId}/tags – doc)

​
Wallets:Transactions:Create

  • Sign and broadcast transaction (POST/wallets/{walletId}/transactions – doc)
  • Cancel transaction (POST/wallets/{walletId}/transactions/{transactionId}/cancel – doc)
  • Cancel transfer (POST/wallets/{walletId}/transfers/{transferId}/cancel – doc)
  • Speed up transaction (POST/wallets/{walletId}/transactions/{transactionId}/speed-up – doc)
  • Speed up transfer (POST/wallets/{walletId}/transfers/{transferId}/speed-up – doc)

​
Wallets:Transactions:Read

  • List transactions (GET/wallets/{walletId}/transactions – doc)
  • Cancel transaction (POST/wallets/{walletId}/transactions/{transactionId}/cancel – doc)
  • Speed up transaction (POST/wallets/{walletId}/transactions/{transactionId}/speed-up – doc)
  • Get transaction (GET/wallets/{walletId}/transactions/{transactionId} – doc)

​
Wallets:Transfers:Create

  • Create exchange deposit (POST/exchanges/{exchangeId}/accounts/{accountId}/deposits – doc)
  • Transfer asset (POST/wallets/{walletId}/transfers – doc)

​
Wallets:Transfers:Read

  • Cancel transfer (POST/wallets/{walletId}/transfers/{transferId}/cancel – doc)
  • Speed up transfer (POST/wallets/{walletId}/transfers/{transferId}/speed-up – doc)
  • Get transfer (GET/wallets/{walletId}/transfers/{transferId} – doc)
  • List transfers (GET/wallets/{walletId}/transfers – doc)

​
Wallets:Update

  • Update wallet (PUT/wallets/{walletId} – doc)

​
Webhooks:Create

  • Create webhook (POST/webhooks – doc)

​
Webhooks:Delete

  • Delete webhook (DEL/webhooks/{webhookId} – doc)

​
Webhooks:Events:Read

  • Get webhook event (GET/webhooks/{webhookId}/events/{webhookEventId} – doc)
  • List webhook events (GET/webhooks/{webhookId}/events – doc)

​
Webhooks:Ping

  • Ping webhook (POST/webhooks/{webhookId}/ping – doc)

​
Webhooks:Read

  • List webhooks (GET/webhooks – doc)
  • Get webhook (GET/webhooks/{webhookId} – doc)

​
Webhooks:Update

  • Update webhook (PUT/webhooks/{webhookId} – doc)