Permissions - Plato

An API key works through the role selected when the key is created. If the role does not include the required permission, Plato returns an authorization error even when the key itself is valid.

Common Permission Sets

Use this as a starting point when creating a role for an integration.

API area	Required access
CMS read and write	CMS app access
Connect360 read	`connect360:conversation:read`
Connect360 send or create	`connect360:conversation:engage`
Connect360 delete	`connect360:conversation:delete`
Restaurant order feed	`restaurant:order:read`
Form read or submit	API key access to the workspace that owns the form
Menu products and categories	API key access to the workspace that owns the menu data

Recommended Setup

Create one role per integration type. For example:

Website CMS Reader for a marketing site that only reads CMS entries.
Website Chat Connector for Connect360 chat messages and attachments.
Accounting Order Export for a tool that reads restaurant order totals.

This keeps every API key easy to audit.

Full Access

fullAccess works, but it should not be the default for integrations. Use it only when a trusted backend truly needs broad workspace access and the key is stored securely.

Permission Errors

When permissions are missing, responses commonly include messages like:

{
  "message": "Missing permission: appAccess:CMS"
}

or:

{
  "message": "Unauthorized API key permissions."
}

If this happens, check the role attached to the API key before creating a new key.

​Common Permission Sets

​Recommended Setup

​Full Access

​Permission Errors

Common Permission Sets

Recommended Setup

Full Access

Permission Errors