# Roles & Scopes

One permission system across your whole app — who (and which bots) can read, write, or manage every
entity, integration, action, and endpoint.

## Configure

### Roles

Define roles for your users — each decides what someone can access and do. Examples: Admin / Member /
Viewer, or Photographer / Client, or Free / Premium.

### Scopes

Scopes are the granular permissions a role carries. A scope can control:

- Which [entities](/platform/entities) a role can read, write, or manage
- Which [integrations](/platform/integrations) a role can use
- Which [actions](/platform/ai) it can invoke
- Which API endpoints are reachable

> "Create a viewer role that can read Projects but not edit anything."
> "Create a public scope that only exposes the product catalog."

### Bot-to-bot access

Scopes aren't just for people. When another AI agent connects over MCP, its token carries scopes — so
you control exactly what an external agent can see and do.

## Use in your app

Access is enforced by the backend automatically — calls that exceed a user's scope are rejected, so you
don't re-check permissions in the frontend. Read the current user's role from their account to tailor
the UI.

## Reference

- [Entities](/platform/entities) · [Integrations](/platform/integrations) · [Actions](/platform/ai)
- [Authentication](/platform/auth) · [Authentication API](/api/authentication)