Note Access Control
Grant and revoke agent identities access to a note. Notes use a per-identity model (no wildcard, unlike contacts). Humans (Clerk JWT) and admin API keys always see every note regardless of grants — the rules below only apply to scoped agent keys.
Agent-created notes are auto-granted to the creating identity on POST /notes. All other grants must be added explicitly by an admin or JWT user.
Grant identity access POST
POST /notes/{note_id}/accessGrant an agent identity read + CRUD access to a note.
Auth: admin API key or Clerk JWT only. A scoped agent cannot grant itself or a peer.
Path parameters
| Parameter | Type | Description |
|---|---|---|
note_id | UUID | Note ID |
Request body
| Field | Type | Required | Description |
|---|---|---|---|
identity_id | UUID | Yes | Identity to grant access to (must belong to the same organization) |
Response (201)
JSONError responses
| Status | Description |
|---|---|
| 403 | Caller is a scoped agent (grants require admin or JWT) |
| 404 | Note or identity not found in your organization |
| 409 | Identity already has access to this note |
Code examples
cURLList access rules GET
GET /notes/{note_id}/accessList the identities granted access to a note. A scoped agent without visibility on the note 404s before reaching the grant listing.
Path parameters
| Parameter | Type | Description |
|---|---|---|
note_id | UUID | Note ID |
Response (200)
JSONCode examples
cURLRevoke identity access DELETE
DELETE /notes/{note_id}/access/{identity_id}Revoke an identity's access to a note.
- Admin API keys and JWT humans may revoke any identity — including the original creator.
created_byis a pure audit stamp; revoking the creator's grant makes the note agent-invisible (humans still see it). - A claimed agent may only revoke its own grant.
Path parameters
| Parameter | Type | Description |
|---|---|---|
note_id | UUID | Note ID |
identity_id | UUID | Identity whose grant to revoke |
Response
204 No Content on success.
Error responses
| Status | Description |
|---|---|
| 403 | Claimed agent attempted to revoke another identity |
| 404 | Access rule not found |
Code examples
cURLAccess rule object
| Field | Type | Description |
|---|---|---|
id | UUID | Unique access rule identifier |
note_id | UUID | The note this rule grants access to |
identity_id | UUID | The agent identity granted access (always non-null) |
created_at | string | Creation timestamp (ISO 8601) |