Skip to content
Postgram

Search is only available in production builds. Try building and previewing the site to test it out locally.

Access Control

Postgram secures all mutating and privileged operations behind API keys and server-side authorization checks.

What this page covers

Section titled “What this page covers”

This page summarizes the key controls: API key scopes, visibility, entity type restrictions, and operational patterns for key lifecycle.

Core workflow

Section titled “Core workflow”
  1. Create a key with the admin CLI:
Terminal window
./bin/pgm-admin key create \
  --name local \
  --scopes read,write,delete \
  --visibility personal,work,shared
  1. Use the key in all REST, MCP, and CLI requests via Authorization: Bearer <key> or PGM_API_KEY.
  2. Restrict keys by:
    • scopes (read, write, delete, sync)
    • visibility levels
    • allowed entity types (as configured in your deployment).

Notes

Section titled “Notes”
  • Every REST request must pass Authorization: Bearer <api-key>.
  • Keep admin-level commands and audit-sensitive operations to dedicated keys.
  • Visibility restrictions complement role-based design for personal/work/shared separation.