Add a permission

Permissions are dotted strings declared in code; the catalog and admin UI pick them up automatically. There's no central registry to edit.

1. Declare it

Add a constant to your slice's Permissions.cs. The [Description] is what the admin catalog shows:

public static class ProjectPermissions
{
    [Description("Archive projects")] public const string Archive = "projects.archive";
}

2. Enforce it

Gate the endpoint:

group.MapPost("/{id:int}/archive", Archive)
    .RequirePermission(ProjectPermissions.Archive);

Unauthenticated calls get 401; authenticated-but-unauthorized calls get 403. Wildcards expand, so a role granted projects.* covers projects.archive too.

3. Assign it

Open /admin/roles, edit a role, tick the new permission (or the whole feature group), and save. Members get it on their next sign-in (or within ~1 minute).

On the frontend

Hide UI a user can't action with the usePermission hook:

const canArchive = usePermission(ProjectPermissions.Archive);
return canArchive ? <ArchiveButton /> : null;

Defense in depth

Hiding a button is convenience, not security — the API enforces every check regardless. Always gate the endpoint, not just the UI.

See Authorization for the full model.