Documentation

How DiffMon works across monitoring, alerts, security, and API integration.

Roles and permissions

Org roles determine access to monitors, billing, webhooks, and member management.

Roles and permissions

Use roles to keep sensitive actions limited to the right people.

Roles

Viewer: read-only access to monitors and history.
Member: create and manage monitors; cannot change billing.
Owner: full access including billing, API tokens, and member management.

Enforcement points

API routes enforce canManageMembers and similar guards.
UI hides destructive actions when the role is insufficient.

if (!canManageMembers(ctx)) throw new ApiError({ code: 'FORBIDDEN', status: 403, message: 'Forbidden' });

Best practices

Keep at least two owners to avoid lockout.
Rotate API tokens regularly and record the action in the audit log.
Use org context helpers to avoid leaking data across tenants.