Membership Management API
This document describes the auth-service membership routes currently registered in auth-service/backend/pkg/server/server.go.
Concepts
Section titled “Concepts”- Organizations and projects are identified by integer IDs from the governance service.
- Users are identified by the auth-service user UUID.
- Organization membership is managed by organization owners.
- Project membership is managed by project owners.
- RBAC metadata and permission checks are exposed under
/api/v1/rbac.
Authentication
Section titled “Authentication”Membership routes use the combined-auth middleware (auth-service/backend/pkg/middleware/combined_auth.go), which accepts either:
- a bearer JWT from the configured IDP (or an enriched token issued by auth-service when using Keycloak/Entra token exchange), or
- an auth-service API key, supplied via
Authorization: Bearer <api-key>.
Authorization: Bearer <token-or-api-key>Dedicated API-key-only routes are exposed under /api/v1/service/* for service-to-service callers that don’t need user-context claims.
Organization Members
Section titled “Organization Members”Add Member
Section titled “Add Member”POST /api/v1/organizations/{organizationId}/membersRequires organization-owner access.
{ "userId": "550e8400-e29b-41d4-a716-446655440000", "roles": ["organization_owner"]}Remove Member
Section titled “Remove Member”DELETE /api/v1/organizations/{organizationId}/members/{userId}Requires organization-owner access.
Update Member Roles
Section titled “Update Member Roles”PATCH /api/v1/organizations/{organizationId}/members/{userId}Requires organization-owner access.
{ "roles": ["organization_owner"]}List Organization Memberships
Section titled “List Organization Memberships”GET /api/v1/organizations/{organizationId}/membershipsGET /api/v1/organizations/{organizationId}/members/{userId}/membershipsRequires organization-owner or project-owner access within the organization.
Project Members
Section titled “Project Members”Project member routes are nested under the organization:
POST /api/v1/organizations/{organizationId}/projects/{projectId}/members/{userId}DELETE /api/v1/organizations/{organizationId}/projects/{projectId}/members/{userId}PUT /api/v1/organizations/{organizationId}/projects/{projectId}/members/{userId}These routes require project-owner access.
Project-level roles:
project_ownerimplementation_ownerimplementation_contributoraudit_owneraudit_contributorproject_viewer
Organization-level role:
organization_owner
RBAC Metadata
Section titled “RBAC Metadata”GET /api/v1/rbac/user/permissionsGET /api/v1/rbac/user/rolesGET /api/v1/rbac/metadata/rolesGET /api/v1/rbac/metadata/permissionsGET /api/v1/rbac/check/permission/{permission}GET /api/v1/rbac/check/permission/{permission}/project/{projectId}These routes use combined auth and support both JWTs and API keys where the middleware can resolve a user context.
- The active role and permission definitions live in
auth-service/backend/pkg/rbac/roles.goandauth-service/backend/pkg/rbac/permissions.go. project_vieweris read-only project access.- API response shapes are generated in Swagger from the handler annotations; use
/swagger/when the service is running withSWAGGER_ENABLED=true.