Contact Access Control
Control which agent identities can see a given contact. Contacts use a wildcard-default model: a newly created contact has one access row with identity_id: null, which grants visibility to every active agent in the organization. Narrow that set by revoking identities (the wildcard is materialized into per-identity rows the first time you revoke); widen it by resetting to the wildcard.
Granting a per-identity rule on a wildcard contact returns
409 redundant_grant. The wildcard already grants everyone; revoke it first if you want a narrower set.
Humans (Clerk JWT) and admin API keys always see every contact regardless of access rules. Only agent-scoped API keys are narrowed by the rules below.
Grant identity access POST
POST /contacts/{contact_id}/accessGrant an identity access to a contact, or reset the contact to the wildcard.
Auth: admin API key or Clerk JWT only. Agent-scoped API keys cannot widen access.
Path parameters
| Parameter | Type | Description |
|---|---|---|
contact_id | UUID | Contact ID |
Request body
| Field | Type | Required | Description |
|---|---|---|---|
identity_id | UUID | null | Yes | Identity to grant, or null to reset to the wildcard (drops every explicit row and inserts a single wildcard row — this widens visibility) |
Request example
JSONResponse (201)
JSONError responses
| Status | Description |
|---|---|
| 404 | Contact or identity not found in your organization |
| 409 | Identity already has a per-identity grant; or redundant_grant — the wildcard already grants this identity |
Code examples
cURLList access rules GET
GET /contacts/{contact_id}/accessList the access rows for a contact. The response is either a single wildcard row (identity_id: null, the default state) or a list of explicit per-identity rows — never a mixed state. Consumer UIs typically render the wildcard case as "All agents".
Path parameters
| Parameter | Type | Description |
|---|---|---|
contact_id | UUID | Contact ID |
Response (200)
JSONCode examples
cURLRevoke identity access DELETE
DELETE /contacts/{contact_id}/access/{identity_id}Revoke an identity's access. If the contact is currently wildcard-access, the server atomically fans out the wildcard into per-identity rows for every active agent in the org and then drops the target identity's row — so the revoke narrows without also revoking everyone else.
A claimed agent API key may only revoke itself. Admins and JWT users may revoke any identity.
Path parameters
| Parameter | Type | Description |
|---|---|---|
contact_id | UUID | Contact ID |
identity_id | UUID | Identity to revoke |
Response
Returns 204 No Content on success.
Error responses
| Status | Description |
|---|---|
| 403 | Claimed agent attempted to revoke another identity |
| 404 | Contact or access row not found (including the duplicate-revoke race case) |
Code examples
cURLAccess rule object
| Field | Type | Description |
|---|---|---|
id | UUID | Unique access rule identifier |
contact_id | UUID | The contact this rule grants access to |
identity_id | UUID | null | The agent identity granted access, or null for the wildcard sentinel ("every active agent sees this contact") |
created_at | string | Creation timestamp (ISO 8601) |