What you'll learn: How Shield permissions work with the REST API and how to configure roles for API access.

The TallCMS API uses a dual authorization system:

Both layers must authorize a request for it to succeed.

Minimum permissions for read-only API access:

ViewAny:CmsPage
View:CmsPage
ViewAny:CmsPost
View:CmsPost
ViewAny:CmsCategory
View:CmsCategory
ViewAny:TallcmsMedia
View:TallcmsMedia

Permissions for content management via API:

# Read permissions (from Reader)
ViewAny:CmsPage, View:CmsPage
ViewAny:CmsPost, View:CmsPost
ViewAny:CmsCategory, View:CmsCategory
ViewAny:TallcmsMedia, View:TallcmsMedia

# Write permissions
Create:CmsPage, Update:CmsPage
Create:CmsPost, Update:CmsPost
Create:CmsCategory, Update:CmsCategory
Create:TallcmsMedia, Update:TallcmsMedia

# Workflow permissions
ViewRevisions:CmsPage, ViewRevisions:CmsPost
SubmitForReview:CmsPage, SubmitForReview:CmsPost

Full content management including approval:

# All Editor permissions, plus:
Approve:CmsPage, Approve:CmsPost
Restore:CmsPage, Restore:CmsPost
RestoreRevision:CmsPage, RestoreRevision:CmsPost
Delete:CmsPage, Delete:CmsPost
Delete:CmsCategory
Delete:TallcmsMedia

Full API access including force-delete and webhooks:

# All Publisher permissions, plus:
ForceDelete:CmsPage, ForceDelete:CmsPost
ViewAny:Webhook, View:Webhook
Create:Webhook, Update:Webhook, Delete:Webhook

1. Navigate to Admin > Shield > Roles
2. Select or create a role
3. Check the required permissions
4. Click Save

# Grant single permission
php artisan permission:grant-to-role editor "Approve:CmsPage"

# Grant multiple permissions
php artisan tinker
>>> $role = \Spatie\Permission\Models\Role::findByName('editor');
>>> $role->givePermissionTo(['Approve:CmsPage', 'Approve:CmsPost']);

use Spatie\Permission\Models\Role;
use Spatie\Permission\Models\Permission;

$apiEditor = Role::findOrCreate('api_editor');

$apiEditor->givePermissionTo([
    'ViewAny:CmsPage', 'View:CmsPage', 'Create:CmsPage', 'Update:CmsPage',
    'ViewAny:CmsPost', 'View:CmsPost', 'Create:CmsPost', 'Update:CmsPost',
    'ViewRevisions:CmsPage', 'ViewRevisions:CmsPost',
    'SubmitForReview:CmsPage', 'SubmitForReview:CmsPost',
]);

// Check if user has permission
$user->can('Approve:CmsPage');

// Check via policy
$this->authorize('approve', $page);

// Get all user permissions
$user->getAllPermissions()->pluck('name');

php artisan tinker
>>> $user = User::find(1);
>>> $user->can('ViewRevisions:CmsPage')
=> true
>>> $user->roles->pluck('name')
=> ["super_admin"]
>>> $user->getAllPermissions()->pluck('name')->filter(fn($p) => str_contains($p, 'CmsPage'))

"This action is unauthorized" on workflow endpoints The user is missing workflow permissions. Grant SubmitForReview:CmsPage, Approve:CmsPage, ViewRevisions:CmsPage as needed.

Token works for some endpoints but not others Check both token abilities AND Shield permissions. A pages:write token still needs Update:CmsPage permission.

New role can't access API Ensure the role has at least ViewAny and View permissions for the resources it needs to access.

Super admin missing permissions Shield's super_admin role doesn't automatically have all permissions. You may need to grant new permissions explicitly after they're created.

• REST API Development - API architecture overview
• Roles & Authorization - Shield roles, permissions, and artisan commands
• OpenAPI Documentation - Endpoint reference