Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.useparagon.com/llms.txt

Use this file to discover all available pages before exploring further.

If your Connected Users represent accounts, organizations, or some other group of users in your platform, then you may want to control the permissions of the credentials and configurations within that user to only the set that an authenticated user of your application should have access to. By default, a Paragon User Token grants access to all credentials and configurations within a Connected User (identified by the sub field in the JWT).
Diagram illustrating org- vs. user-level tokens
You can restrict access to specific credentials and configurations by adding an additional claim on the Paragon User Token (JWT) that is passed for an authenticated user in your platform. You can also use JWT Permissions to prevent certain types of API calls from being made using a given token, for example: Proxy API calls, App Events, or Workflow triggers.

Usage

The claim for JWT Permissions is called urn:useparagon:connect:permissions and is structured as an object with keys of Scopes (i.e. what to scope a group of permissions/rules to) and values of Permissions (i.e. visibility of specific credentials or configurations and the types of operations that are allowed). Here are some examples of token types that are expressible with JWT Permissions: 
{
  "sub": "<Paragon User ID>",
  "urn:useparagon:connect:permissions": {
    "integration:*": true
  }
}
Claims passed in the JWT are not persisted or saved in any way. They are only used and evaluated for the current API request and should be included with every token that requires permissions control.

JWT Scopes

The following scopes can be used to assign permissions and rules. These scopes are ordered from least specific to most specific. Permissions designated at more specific scopes will override those inherited from less specific scopes.
ScopeDescription
integration:*All integrations
integration:[name]An integration matching a name of [name] (as passed to paragon.connect )
credential:*All credentials belonging to an integration
credential:[uuid]All credentials matching an ID of [uuid]
configuration:*All configurations belonging to a credential
configuration:ext:[id]All configurations matching an External ID of [id]

JWT Permissions

The following permissions can be used to configure API capabilities for a Paragon User Token. These permissions can apply to any of the scopes listed above. Permissions must be specified as an array, or as a Boolean interpreted as true = Allow All, false = Deny All.
PermissionDescription
credential:writeConnect a new credential, reconnect an existing credential, or disconnect an existing credential
config:writeCreate, modify, or destroy a configuration
settings:readRead User Settings and Workflow Enablement
settings:writeWrite and read User Settings and Workflow Enablements
metadata:readRead User Metadata
metadata:writeWrite and read User Metadata
proxy-apiSend requests to the Proxy API
eventsSend App Events
workflowsSend Workflow Request triggers