Overview
Each Tarefy user has granular permissions within their account, configured by the administrator. These permissions determine which API endpoints the JWT token can access. When a request is made to a protected endpoint, the API validates the token and:- Allows if the user has the required permission →
2xxresponse - Blocks otherwise →
403 Forbiddenresponse
Discovering your permissions
To find out which permissions the authenticated token has, use:permissions field listing the permissions granted to the user. Use that array to decide client-side which features to enable before calling specific endpoints — avoiding unnecessary 403s.
Handling 403 in your integration
Even with prior checks, you may still receive403 Forbidden (admin changes permissions, account switch, etc.). Handle it like:
Permissions per endpoint
Every endpoint in the API Reference clearly states whether it requires a permission. Generally:- Read (
GET) — requires reading the resource - Write (
POST/PATCH/PUT) — requires editing the resource - Admin — requires a specific administrative permission
Permission-related errors
| Status | Scenario |
|---|---|
401 Unauthorized | Missing, invalid or expired token |
403 Forbidden | Valid token, but missing required permission |
404 Not Found | Some APIs return 404 instead of 403 when the user can’t read the resource (avoids leaking existence) |

