Skip to main content

Roles and RBAC

Supply APIs use two authorization layers:

JWT + org ownership (X-Org-Id)
Supply role header (X-Supply-Role) for selected commercial/operational routes

Supported roles

admin
ops
revenue
contracting

Role-gated routes

POST /supply/v1/hotels/:id/ari/bulk -> admin|ops|revenue
Supplements:
- GET -> admin|revenue|contracting
- POST|DELETE -> admin|revenue
Taxes:
- GET -> admin|revenue|contracting
- POST|DELETE -> admin|revenue
Promotions:
- GET -> admin|revenue|contracting
- POST|DELETE -> admin|revenue

When AUTH_DEV=true, missing X-Supply-Role is treated as admin (development convenience only).

Supported roles
Role-gated routes