Skip to main content
POST
/
v1
/
capabilities
Mint a capability token
curl --request POST \
  --url https://sync.ablo.app/v1/capabilities \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "ttlSeconds": 2,
  "participantId": "<string>",
  "allowedSyncGroups": [
    "<string>"
  ],
  "allowedOperations": [
    "<string>"
  ],
  "label": "<string>",
  "wideScope": false,
  "userMeta": {}
}
'
{
  "id": "<string>",
  "token": "<string>",
  "participantKind": "<string>",
  "participantId": "<string>",
  "allowedSyncGroups": [
    "<string>"
  ],
  "allowedOperations": [
    "<string>"
  ],
  "expiresAt": "2023-11-07T05:31:56Z",
  "revokedAt": "2023-11-07T05:31:56Z",
  "label": "<string>"
}

Documentation Index

Fetch the complete documentation index at: https://docs.abloatai.com/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

Authorization
string
header
required

API key (sk_live_…) or Biscuit capability token. The same header carries both — the server discriminates by token shape.

Body

application/json
participantKind
enum<string>
required

User caps cannot be minted via API — only agent or system.

Available options:
agent,
system
ttlSeconds
integer
required
Required range: x >= 1
participantId
string

Identity bound into the capability. Defaults to the caller's userId when omitted.

allowedSyncGroups
string[]

Sync-groups this capability may subscribe to. Required unless wideScope: true.

allowedOperations
string[]

Operation facts (e.g. slide.update, task.create). Required unless wideScope: true.

label
string

Optional human-readable label for audit logs.

wideScope
boolean
default:false

Opt out of narrow-scope requirement. Admin/owner role or API-key caller only.

userMeta
object

Caller-attested end-user identity blob (B2B2C). Echoed on read; server does not validate.

Response

Capability minted

id
string
object
enum<string>
Available options:
capability
token
string

Biscuit token, base64url. Present only on mint response, not on inspect.

participantKind
string
participantId
string
allowedSyncGroups
string[]
allowedOperations
string[]
expiresAt
string<date-time>
revokedAt
string<date-time> | null
label
string | null