Skip to main content

Documentation Index

Fetch the complete documentation index at: https://alphabet-06152314.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Alphabet lets authenticated users request temporary access to privileges they do not currently hold. The request captures the desired privilege, the reason, and the duration of access. An admin then approves or denies the request through a dedicated workflow. No access is granted until an admin explicitly approves it.

Requesting access (end user)

Any authenticated user can submit a privilege request. The request goes into a pending state and is not active until approved.

Submit a privilege request

POST /api/v1/users/me/privilege-requests

{
  "privilegeId": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
  "reason": "Need to export the Q2 compliance report for the audit team.",
  "requestedDurationDays": 14,
  "approverEmail": "manager@example.com"
}
FieldTypeRequiredDescription
privilegeIdGUIDYesThe privilege you are requesting.
reasonstringYesBusiness justification for the request. Visible to the approver and recorded in the audit log.
requestedDurationDaysintegerYesHow many days of access you need. Cannot exceed MaxPrivilegeRequestDurationDays (default: 30 days).
approverEmailstringNoEmail address of the intended approver. The API routes the request to this person.
curl -X POST "https://your-api/api/v1/users/me/privilege-requests" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "privilegeId": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
    "reason": "Need to export the Q2 compliance report for the audit team.",
    "requestedDurationDays": 14,
    "approverEmail": "manager@example.com"
  }'
Response 
"b2c3d4e5-f6a7-8901-bcde-fa1234567890"
The response body is the request GUID. Save it if you need to reference the request later.
The requestedDurationDays value is capped at MaxPrivilegeRequestDurationDays (30 by default). Requests exceeding this cap return a 400 Bad Request response.

View your current privileges

GET /api/v1/users/me/privileges
Returns your current effective privileges after all role, user, and policy rules have been applied. Use this to confirm whether an approved request has taken effect. 
curl -X GET "https://your-api/api/v1/users/me/privileges" \
  -H "Authorization: Bearer {token}"

Approving or denying requests (admin)

Admin users with the Admin or PrivilegeManager role manage the request queue through the admin endpoints. Approving a request grants the privilege immediately for the requested duration. Denying preserves the request and decision for audit.
Users cannot approve their own privilege requests. The approverEmail field in the request is informational — enforcement of the separation between requester and approver is an organizational control.

Approve a request

POST /api/v1/admin/privilege-requests/{requestId}/approve

{
  "notes": "Approved for Q2 audit. Access expires after 14 days as requested."
}

curl -X POST "https://your-api/api/v1/admin/privilege-requests/b2c3d4e5-f6a7-8901-bcde-fa1234567890/approve" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "notes": "Approved for Q2 audit. Access expires after 14 days as requested."
  }'
Approving grants the privilege to the requesting user for the duration they specified. A 200 OK response confirms the grant was created. The approval notes are stored in the audit log alongside the request.

Deny a request

POST /api/v1/admin/privilege-requests/{requestId}/deny

{
  "notes": "Access to report.export should go through the Reporting role. Please contact your manager."
}

curl -X POST "https://your-api/api/v1/admin/privilege-requests/b2c3d4e5-f6a7-8901-bcde-fa1234567890/deny" \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "notes": "Access to report.export should go through the Reporting role. Please contact your manager."
  }'
Denying does not grant access. The request and the denial notes are preserved for the audit trail.

Exporting the privilege catalog

You can export the full privilege catalog for offline governance reviews. 
GET /api/v1/admin/privileges/export?format=json
GET /api/v1/admin/privileges/export?format=csv
Query parameterValuesDescription
formatjson, csvExport format. Defaults to json if omitted.
# Export as JSON
curl -X GET "https://your-api/api/v1/admin/privileges/export?format=json" \
  -H "Authorization: Bearer {token}"

# Export as CSV
curl -X GET "https://your-api/api/v1/admin/privileges/export?format=csv" \
  -H "Authorization: Bearer {token}" \
  --output privileges.csv
The CSV export includes Id, Name, DisplayName, Category, IsDeprecated, and IsGlobal columns. Both formats include deprecated privileges.
The export includes up to 5,000 privileges in a single response. For very large catalogs, use the paginated GET /api/v1/privileges endpoint with pageNumber and pageSize instead.

Troubleshooting

If a privilege was recently approved but is not showing up in evaluation results, check the following:
  • Confirm the request was approved and not denied by calling GET /api/v1/users/me/privileges.
  • Check whether a direct deny assignment exists for the same privilege on your account. A deny overrides any grant, including approved self-service grants.
  • Check whether the approved assignment has already expired. Duration is calculated from the time of approval.
  • If caching is enabled, wait for the CacheDurationMinutes TTL (default: 5 minutes) to elapse and retry.
Alphabet caches effective privilege snapshots per user to reduce evaluation latency.
  • Direct user assignments (including approved self-service requests) invalidate that user’s cache immediately. You should see the change in the next evaluation.
  • Role-level changes do not immediately invalidate the cache. Members of the role see the update after the CacheDurationMinutes TTL expires (default: 5 minutes).
If you need role-level changes to take effect immediately, contact your platform administrator to flush the privilege cache.
The requestedDurationDays value exceeds the MaxPrivilegeRequestDurationDays limit configured on the server (default: 30 days). Submit a new request with a shorter duration, or ask your administrator to grant the privilege directly with a longer expiry using POST /api/v1/users/{userId}/privileges.