Session Roles and Scopes

Meshes embed behavior is driven by the session_type, role, and scopes you send to POST /api/v1/sessions.

Session types

• workspace: current full embed surface
• resource: locks the session to one resource + resource_id pair
• dashboard: read-only dashboard-only access

Roles

Current session roles:

• member
• admin
• owner

Use the lowest role that still supports the embedded workflow you want to expose.

Typical guidance:

• member: lowest-privilege embed access
• admin: general operational embed access
• owner: highest-privilege workspace embed access

Scopes

Some capabilities are intentionally controlled by explicit scopes rather than role alone.

Current scope:

• events.payload:read

Grant this only when the embedded experience should be able to view event payloads.

Current payload rule

To view sensitive event payloads in embed, the session currently needs:

• admin or owner
• the events.payload:read scope

This payload rule still applies to resource sessions. A resource session also has to be in scope for the event being viewed.

Related docs

• Workspace Pages Available in Embed
• Security Model