Seller Orchestra Internal API Mapping

Roles & Permissions

Manage roles and permission sets for seller domains and stores

3-Layer Architecture

Seller API Gateway Seller Admin (Orchestra) User Service

Token validation happens at Gateway level via JWT verification

Create Role

Create a new role with permissions

POST

POST /merchant/api/v1/domains/:domain_id/roles

Body: name, description, permissions[]

1 POST /api/roles User Service

2 POST /api/events/log Util Service

List Roles

Retrieve all roles for the domain

GET

GET /merchant/api/v1/domains/:domain_id/roles

1 GET /api/roles?domain_id=:domain_id User Service

Get Role

Retrieve a specific role by ID

GET

GET /merchant/api/v1/domains/:domain_id/roles/:role_id

1 GET /api/roles/:role_id User Service

Update Role

Update role name, description, and permissions

PUT

PUT /merchant/api/v1/domains/:domain_id/roles/:role_id

Body: name, description, permissions[]

1 PUT /api/roles/:role_id User Service

2 POST /api/sessions/refresh-permissions User Service

Delete Role

Delete a role from the domain

DELETE

DELETE /merchant/api/v1/domains/:domain_id/roles/:role_id

1 DELETE /api/roles/:role_id User Service

2 POST /api/cache/invalidate Caching Service

List Permissions

Retrieve all available permissions (not domain-scoped)

GET

GET /merchant/api/v1/permissions

Note: This endpoint is NOT domain-scoped

1 GET /api/permissions User Service

Sample Permissions (150+ available):

view_orders, add_order, edit_order, delete_order, view_products, add_products, edit_products, delete_products, view_customers, view_staff, add_staff, view_roles, add_roles...

Documentation Notes

Roles are domain-scoped while permissions are system-wide constants. Role changes trigger session refresh to avoid privilege drift.

Response fields: id, name, description, domain_id, permissions[], created_at, updated_at

Open full text mapping