SettleMint
Asset servicing

Change asset admin roles

Grant or revoke token-level administrator roles for specific assets via API.

Asset administrator roles control who can operate one token after issuance. This API guide covers grant and revoke requests for token-level roles only. These requests do not change platform-wide system roles or the asset's ownership model. Use these endpoints when you need repeatable role provisioning for operations teams, custodians, supply managers, governance operators, or emergency responders.

Rendering diagram...

For the web interface approach, see the operator user guide. The sections below cover the API request shape, batch options, and what to verify after each change.

Prerequisites

  • Platform URL, such as https://your-platform.example.com
  • API key from a user with the admin role on the target asset. See Getting Started for API key setup.
  • Wallet verification when the platform requires it for transaction signing, such as pincode, secret code, or OTP.
  • Asset contract address for the asset to modify.
  • Target wallet address, or addresses, for the role change.

When to change asset admin roles

Common scenarios

  • Assign operators after asset creation.
  • Give an existing operator another role when their responsibilities expand.
  • Remove permissions when an operator no longer needs them.
  • Transfer responsibilities between operators after a team change.
  • Include role management in provisioning workflows.

Security considerations

  • Grant only the roles each operator needs.
  • Remove roles when responsibilities end.
  • Record the business reason for each role change.
  • Coordinate the timing with affected operators.

About asset admin roles

Each asset has its own administrator set. Roles define what each administrator can do on that asset.

RoleDescriptionCommon use cases
adminPermission management for this assetManage other administrators' roles and permissions
custodianFreeze addresses, force transfers, and asset recoveryCustody/operations teams handling interventions
emergencyPause, unpause, and ERC20 recovery functionsIncident response team, post-deploy unpausing
governanceAsset policy, verification, and compliance settingsTeam tuning compliance modules or governance parameters
supplyManagementMint and burn permissions via /api/token/{address}/mintOperators issuing, redeeming, or retiring supply

Changing roles

Get asset details

Query the asset to review current role assignments before making any changes. This step confirms who holds each role on the token before you submit a change.

curl -X GET "https://your-platform.example.com/api/token/0x9459D52E60edBD3178f00F9055f6C117a21b4220" \
  -H "X-Api-Key: YOUR_API_KEY"

Response (relevant fields):

{
  "id": "0x9459D52E60edBD3178f00F9055f6C117a21b4220",
  "name": "Example Asset",
  "symbol": "EXA",
  "decimals": 18,
  "accessControl": {
    "id": "0x1234567890AbCdEf1234567890AbCdEf12345678",
    "admin": [{ "id": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb" }],
    "custodian": [],
    "emergency": [],
    "governance": [{ "id": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb" }],
    "supplyManagement": []
  }
}

Review the accessControl field to see current assignments. Each entry contains an array of accounts holding that permission on the asset.

Grant a role

POST to the grant-role endpoint to assign one or more permissions to a wallet on the asset.

curl -X POST "https://your-platform.example.com/api/token/0x9459D52E60edBD3178f00F9055f6C117a21b4220/grant-role" \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
    "roles": ["supplyManagement"],
    "walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
  }'

Response:

{
  "accounts": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb"]
}

Grant multiple roles

To assign more than one permission to one wallet in one transaction, list the roles in the array.

curl -X POST "https://your-platform.example.com/api/token/0x9459D52E60edBD3178f00F9055f6C117a21b4220/grant-role" \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
    "roles": ["supplyManagement", "custodian"],
    "walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
  }'

Batch grant to multiple wallets

To grant the same permission to two or more wallets, send all target addresses in one request using the accounts array.

curl -X POST "https://your-platform.example.com/api/token/0x9459D52E60edBD3178f00F9055f6C117a21b4220/grant-role" \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "accounts": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb", "0x8e5F72f6E5b3B4D1234567890AbCdEf1234567890"],
    "role": "supplyManagement",
    "walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
  }'

Revoke a role

Send a DELETE request to the revoke-role endpoint to remove one or more permissions from a wallet.

curl -X DELETE "https://your-platform.example.com/api/token/0x9459D52E60edBD3178f00F9055f6C117a21b4220/revoke-role" \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
    "roles": ["supplyManagement"],
    "walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
  }'

Response:

{
  "accounts": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb"]
}

Revoke multiple roles

To drop more than one permission from a single wallet in one transaction, list all permissions in the array.

curl -X DELETE "https://your-platform.example.com/api/token/0x9459D52E60edBD3178f00F9055f6C117a21b4220/revoke-role" \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
    "roles": ["supplyManagement", "custodian"],
    "walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
  }'

Batch revoke from multiple wallets

To clear the same permission from two or more wallets, send all target addresses together using the accounts array.

curl -X DELETE "https://your-platform.example.com/api/token/0x9459D52E60edBD3178f00F9055f6C117a21b4220/revoke-role" \
  -H "X-Api-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "accounts": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb", "0x8e5F72f6E5b3B4D1234567890AbCdEf1234567890"],
    "role": "supplyManagement",
    "walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
  }'

Verify changes

Fetch the asset again to confirm the role changes took effect. The accessControl field lists current assignments for every role.

curl -X GET "https://your-platform.example.com/api/token/0x9459D52E60edBD3178f00F9055f6C117a21b4220" \
  -H "X-Api-Key: YOUR_API_KEY"

Verify the accessControl values in the response match the expected state before closing the provisioning record.

Request parameters

ParameterTypeRequiredDescription
accountstringYes*Single wallet address when assigning multiple roles to one account
accountsstring[]Yes*One or more wallet addresses when assigning one role to multiple accounts
rolestringYes*Single role to grant or revoke with accounts
rolesstring[]Yes*One or more roles to grant or revoke with account
walletVerificationobjectNoWallet verification for transaction signing when your platform requires it

*Each request uses one shape: either account with roles for one account receiving multiple permissions, or accounts with role for multiple accounts receiving one permission. Do not mix the two shapes in a single request.

Wallet verification object

Include walletVerification when your platform requires it for the signing account. The platform supports three verification types.

FieldTypeDescription
secretVerificationCodestring6-digit pincode or TOTP code
verificationTypestring"PINCODE" (default), "SECRET_CODES", or "OTP"

Response fields

The response contains the wallet addresses that the queued role operation covers. Fetch the asset after blockchain confirmation to check indexed role state.

FieldTypeDescription
accountsarrayWallet addresses that were modified

Operational notes

Send one request shape at a time: accounts with one role, or one account with roles. Mixing the two shapes in a single request is not supported.

The platform deduplicates repeated accounts before queuing the blockchain transaction. Revoke requests for non-admin roles do not affect the asset's permission-management role.

When a request revokes multiple permissions from the caller, the platform processes the admin revoke last, letting the caller complete the remaining changes within the same transaction. The response lists the wallet addresses included in the queued role operation. Fetch the asset again to confirm indexed role state after blockchain confirmation.

Best practices

Role assignment

  • Grant only the roles each operator needs.
  • Split critical functions across more than one administrator.
  • Review role assignments when responsibilities change.
  • Record each role change and its business reason.

Security

  • Limit the admin role to trusted operators.
  • Separate operational roles from governance roles.
  • Keep backup administrators for critical roles.
  • Use different wallets for different administrative functions.

Operations

  • Assign supplyManagement to operators who mint or burn.
  • Give emergency to the operations team that handles incidents.
  • Use custodian for transfer management and compliance operations.
  • Reserve governance for strategic configuration decisions.

Troubleshooting

IssueSolution
Permission deniedVerify you have the admin role on this specific asset.
Asset not foundCheck the asset contract address is correct. Ensure the asset is deployed on this platform.
Role not foundCheck the role name matches exactly (case-sensitive). Valid roles: admin, custodian, emergency, governance, supplyManagement.
Transaction failsEnsure wallet has sufficient gas. Verify PIN/OTP is correct. Check network connectivity.
Changes not visibleWait for blockchain confirmation. Refresh asset details. Check transaction was successful.
Cannot revoke own roleHave another user with the admin role to revoke your role if needed.

On this page