Collections
The /collections endpoint allows you to manage collections and their security permissions.
Create Collection
Endpoint: /collections
Method: POST
Headers
| Header | Value |
|---|---|
Authorization | Bearer <YOUR_JWT_TOKEN> |
Input Parameters
| Parameter | Data Type | Description |
|---|---|---|
| name | string | (Required) The name of the collection |
| description | string | Description of the collection |
| type | string | ID of the content type for this collection |
| dynamic | boolean | Whether this is a dynamic collection |
| query | object | Query for dynamic collections |
| status | string | Status of the collection |
| properties | object | Additional properties |
Example Request
{
"name": "Project Documents",
"description": "All project-related documents",
"type": "document-type-id"
}
Update Collection Permissions
Endpoint: /collections/:collectionId/permissions
Method: PUT
Headers
| Header | Value |
|---|---|
Authorization | Bearer <YOUR_JWT_TOKEN> |
Requirements: User must have content:admin permission
Input Parameters
| Parameter | Data Type | Description |
|---|---|---|
| content:read | string[] | Array of principals with read access |
| content:write | string[] | Array of principals with write access |
| content:delete | string[] | Array of principals with delete access |
Principal Format:
user:<userId>- Individual user accessgroup:<groupId>- Group accessproject:*- Project-wide access (all project members)
Example Request
{
"content:read": ["user:123456", "group:789012", "project:*"],
"content:write": ["user:123456", "project:*"],
"content:delete": ["user:123456"]
}
Example Response
{
"id": "collection-id",
"security": {
"content:read": ["user:123456", "group:789012", "project:*"],
"content:write": ["user:123456", "project:*"],
"content:delete": ["user:123456"]
},
"objectsUpdated": 42
}
Propagate Permissions
Endpoint: /collections/:collectionId/propagate-permissions
Method: POST
Headers
| Header | Value |
|---|---|
Authorization | Bearer <YOUR_JWT_TOKEN> |
Requirements: User must have content:admin permission
Description: Manually triggers permission propagation from the collection to all its member objects. This is useful when permissions may be out of sync.
Example Response
{
"id": "collection-id",
"message": "Permissions propagated to 42 objects",
"security": {
"content:read": ["user:123456", "project:*"],
"content:write": ["user:123456"],
"content:delete": ["user:123456"]
},
"objectsUpdated": 42
}
Add/Remove Collection Members
Endpoint: /collections/:collectionId/members
Method: POST
Headers
| Header | Value |
|---|---|
Authorization | Bearer <YOUR_JWT_TOKEN> |
Requirements: User must have content:write permission on the collection
Input Parameters
| Parameter | Data Type | Description |
|---|---|---|
| action | string | (Required) Either "add" or "delete" |
| members | string[] | (Required) Array of object IDs to add or remove |
Example Request
{
"action": "add",
"members": ["object-id-1", "object-id-2", "object-id-3"]
}
Example Response
{
"id": "collection-id",
"objectsUpdated": 3
}
Note:
- Objects can belong to a maximum of 5 "secured" collections (collections with specific user/group permissions)
- Collections with only
project:*permissions don't count toward this limit - When an object is added to multiple collections, it inherits permissions from ALL collections (additive model)
Search Collections
Endpoint: /collections/search
Method: POST
Headers
| Header | Value |
|---|---|
Authorization | Bearer <YOUR_JWT_TOKEN> |
Input Parameters
| Parameter | Data Type | Description |
|---|---|---|
| name | string | Filter by collection name (partial match) |
| type | string | Filter by content type ID |
| dynamic | boolean | Filter by dynamic/static collections |
| status | string | Filter by status |
| limit | number | Maximum results to return (default: 1000) |
| offset | number | Number of results to skip |
Example Request
{
"name": "project",
"limit": 10,
"offset": 0
}
Security Model
Additive Permission Model
When objects belong to multiple collections, they inherit permissions from ALL collections:
- Permission Merging: Object permissions are the UNION of all collection permissions
- Collection Limit: Maximum 5 secured collections per object
- Project-wide Access: Collections with only
project:*don't count toward the limit - Revision Inheritance: All revisions inherit security from the root object
Permission Types
content:read- View collection and its contentscontent:write- Modify collection and manage memberscontent:delete- Delete collectioncontent:admin- Manage collection permissions
Access Control
- Users can only see collections they have at least
content:readpermission for - Admins can see all collections for management purposes
- Permission changes propagate automatically to all member objects