Add administrators
Grant DALP platform administrator roles through the API when provisioning operators, compliance teams, auditors, or automation accounts.
Grant platform administrator roles to wallet addresses with the Platform API. Use the API path for automation, bulk operations, or provisioning workflows.
Adding administrators gives selected wallets access to platform-wide operating surfaces before they create API keys or manage assets.
For the web interface approach, see the user guide. Both paths write the same on-chain role record.
Prerequisites
Gather the following before you begin.
- Platform URL
- API key with
adminsystem role - Wallet verification (pincode or 2FA)
- Target wallet address or email
For API key setup, see Getting Started.
When to add administrators via API
Use the API to automate initial setup or bulk-provision multiple admins in a single script. You can also integrate role grants into HR and identity provisioning workflows.
Available system roles
Each role grants a distinct set of platform capabilities. Grant only the roles each account needs.
| Role | Description | Common use cases |
|---|---|---|
admin | Root authority that can grant or revoke all other system roles | Platform ops account, initial setup |
systemManager | Core system configuration (upgrades, registering factories/modules) | Deployment team, rarely granted to EOAs |
auditor | Read-only inspection of operational and security-sensitive surfaces | Audit users who need visibility without operator rights |
identityManager | Identity registry maintenance (register/recover identities, onboarding) | Compliance/onboarding teams managing identities |
tokenManager | Token factory calls such as /api/token/create | Every wallet that deploys assets |
complianceManager | Global compliance module setup, bypass lists, enforcement toggles | Custom compliance flows, allowlists |
claimPolicyManager | Trusted issuer and claim topic management | Workflows that check collateral/KYC claims before minting |
claimIssuer | Permission to create claims on identities | Auditors, service providers issuing attestations |
feedsManager | Feed registration, updates, and removal | Teams operating pricing or market data feeds |
gasManager | Paymaster funding and sponsorship configuration | Teams operating advanced accounts gas sponsorship |
Steps to add administrators
Identify target user
Look up the user by email to get their wallet address. If you already have the wallet address, skip this step. The platform returns the on-chain wallet tied to that account:
curl -X GET "https://your-platform.example.com/api/user/[email protected]" \
-H "X-Api-Key: YOUR_API_KEY"[
{
"id": "usr_abc123",
"name": "New Admin",
"wallet": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
"role": "member"
}
]Save the wallet address for the grant step. If the user is not found, verify the email exists on the platform before proceeding.
Check existing roles (optional)
Before granting roles, verify the user's current assignments. Checking first prevents duplicate-role errors and confirms the target account is correct. The platform returns all accounts and their current roles:
curl -X GET "https://your-platform.example.com/api/system/access-manager/roles" \
-H "X-Api-Key: YOUR_API_KEY"[
{
"account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
"roles": []
},
{
"account": "0xExistingAdmin...",
"roles": ["admin", "tokenManager"]
}
]To check a single wallet, pass its address as a path segment:
curl -X GET "https://your-platform.example.com/api/system/access-manager/roles/0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb" \
-H "X-Api-Key: YOUR_API_KEY"Grant administrator role
Assign the desired platform role to the target wallet. The platform returns the wallet and the granted role on success.
curl -X POST "https://your-platform.example.com/api/system/access-manager/grant-roles" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
"role": "identityManager",
"walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
}'{
"accounts": ["0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb"],
"roles": ["identityManager"]
}Grant multiple roles
To assign multiple roles in a single transaction, pass an array for the role field.
curl -X POST "https://your-platform.example.com/api/system/access-manager/grant-roles" \
-H "X-Api-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"account": "0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb",
"role": ["identityManager", "tokenManager"],
"walletVerification": { "secretVerificationCode": "YOUR_PINCODE" }
}'Verify role assignment
Confirm the grant succeeded by checking the updated roles list. The target wallet now appears with its assigned roles in the response. Confirm the correct roles appear before logging the change.
curl -X GET "https://your-platform.example.com/api/system/access-manager/roles" \
-H "X-Api-Key: YOUR_API_KEY"
Request parameters
All three parameters are required.
| Parameter | Type | Required | Description |
|---|---|---|---|
account | string or array | Yes | Wallet address(es) to grant role to |
role | string or array | Yes | Role(s) to grant |
walletVerification | object | Yes | Your wallet verification to authorize the blockchain transaction |
Wallet verification object
The walletVerification object authorizes the on-chain transaction. Pass the code that matches your account's configured method. The platform rejects the request if the code is missing or incorrect.
| Field | Type | Description |
|---|---|---|
secretVerificationCode | string | 6-digit pincode or TOTP code |
verificationType | string | "PINCODE" (default), "SECRET_CODES", or "OTP" |
Response fields
A successful grant returns the wallet addresses and roles affected by the operation. Use the response to confirm which accounts and roles the platform wrote on-chain.
| Field | Type | Description |
|---|---|---|
accounts | array | Wallet addresses that received roles |
roles | array | Roles that were granted |
Best practices
Apply these practices before granting roles in a production environment. They reduce the blast radius of a compromised account and make periodic access reviews easier to complete.
Role assignment principles
Grant only the permissions each account needs. Divide critical functions among different admins to enforce separation of duties. Review assignments periodically and record the reason for each grant. Keeping a clear record makes audits faster and access reviews more accurate.
Security considerations
Limit exposure from a compromised account.
- Restrict
adminto platform ops accounts - Use separate wallets per function
- Rotate API keys regularly
- Store credentials in environment variables
- Test role changes in staging first
Troubleshooting
| Issue | Solution |
|---|---|
401 Unauthorized | API key is invalid, expired, or disabled |
403 USER_NOT_AUTHORIZED | Verify you have admin system role. Only admins can grant other system roles. |
404 User not found | Email lookup failed; verify user exists or use wallet address directly |
400 Role not found | Check role name matches exactly (case-sensitive). See available roles table above. |
400 Duplicate role | User already has this role. Check existing roles before granting. |
| Transaction fails | Ensure your wallet has sufficient gas. Verify PIN/OTP is correct. |
| Batch operation fails | Cannot grant multiple roles to multiple addresses in one call. Split into separate requests. |
| User cannot see new permissions | Ask user to log out and back in. Verify transaction was confirmed on-chain. |
Related guides
- Change Admin Roles: Modify or revoke existing role assignments via API
- API Reference: Full OpenAPI specification
- Getting Started: API key setup
- Add Administrators (User Guide): Web interface approach
- Platform Setup Overview: Complete role descriptions and permissions
Create the first administrator via API
Create the first administrator, organisation, wallet security, identity, system, currency, and token factories by API.
Change DALP platform administrator roles through the API
Update platform administrator role assignments through the API when operating responsibilities, least-privilege reviews, or provisioning workflows change.