Permissions

Namespace uses a resource-based permission model. Each API action is associated with a resource type and optionally scoped to a specific resource ID.

The following lists all public resources and their available actions.

Public Resources

The following resources and actions are publicly available in the Namespace API.

artifact

Objects stored in a workspace, identified by a path and namespace.

actiondescription
createUpload a new artifact to the workspace.
expireMark an artifact for deletion.
listList artifacts in the workspace.
resolveDownload or retrieve an artifact.

bazel

bazel/cache

Managed Bazel remote cache for accelerating builds by storing and retrieving build artifacts.

actiondescription
ensureProvision cache instance and get endpoint credentials.

bazel/execution

Managed Bazel remote execution (RBE) clusters for running build and test actions remotely.

actiondescription
ensureProvision execution cluster and get scheduler/storage endpoints.
getGet an existing execution cluster's endpoints.

builder

Remote BuildKit instances that perform container image builds on behalf of a workspace.

actiondescription
accessConnect to a running builder instance.
ensureProvision or reuse a builder instance.

cache

cache/gradle

Managed Gradle build cache for storing and retrieving build outputs.

actiondescription
ensureSet up and get Gradle cache endpoint credentials.
readRetrieve artifacts from the Gradle cache.
writeStore artifacts in the Gradle cache.

cache/httpcache

Managed HTTP build cache, compatible with Bazel, sccache, and other HTTP-cache-compatible tools.

actiondescription
ensureSet up and get HTTP cache endpoint credentials.
readRetrieve artifacts from the HTTP cache.
writeStore artifacts in the HTTP cache.

cache/turborepo

Managed Turborepo remote cache for storing and retrieving task-level build artifacts.

actiondescription
deleteDelete all cached artifacts for a team.
listList teams with cached artifacts.
readRetrieve cached artifacts or check cache status.
reportSubmit Turborepo analytics and build events.
writeStore artifacts in the Turborepo cache.

containerregistry

Registry-wide configuration, including default and per-repository image expiration policies.

actiondescription
configureManage registry expiration policies.

containerregistry/domain

Custom registry domains that grant read-only image pull access.

actiondescription
pullPull images through a custom registry domain.

containerregistry/image

Individual container images within a repository, identified by digest.

actiondescription
deleteDelete a container image by digest.
getGet container image details.
listList container images across repositories.
updateUpdate an image's expiration lifetime.

containerregistry/repository

Named image repositories within the container registry.

actiondescription
deleteDelete a repository and its contents.
listList image repositories in the registry.
pullPull images from a repository.
shareCreate a publicly accessible link to an image.
unshareRevoke public access to a shared image.

containerregistry/tags

Tags and tag version history within a repository.

actiondescription
listList tags in a repository.

devbox

actiondescription
activateStart or resume a devbox session.
createCreate a new devbox.
expireDelete a devbox.
fetchRetrieve devbox details.
listList devboxes in the workspace.
updateUpdate devbox metadata or configuration.

devbox/image

actiondescription
expireDelete or expire a devbox image.
fetchRetrieve devbox image details.
listList devbox images in the workspace.
wireResolve a devbox image for use.

github

github/runner-profile

Configuration profiles for ephemeral GitHub Actions runners, defining instance shape, OS, cache volumes, and custom runner images.

actiondescription
createCreate a new runner profile.
deleteDelete a runner profile.
getRetrieve a specific runner profile.
listList all runner profiles.
updateUpdate a runner profile.

ingress

Authenticated network access to an instance's exposed ports.

actiondescription
accessAccess an instance's exposed ports.

instance

Ephemeral compute environments for running containers, with support for Docker, Kubernetes, suspend/resume, and remote access.

actiondescription
createCreate a new instance.
destroyPermanently terminate an instance.
dial_hostConnect to an instance's host services.
execExecute a command inside an instance.
getRetrieve an instance's details.
listList all instances in the workspace.
refreshExtend an instance's lifetime deadline.
releaseDetach an instance from its unique tag.
resumeWake a suspended instance.
sshStart an SSH session to an instance.
suspendPause an instance, snapshotting its state.
waitWait for an instance to become ready.

instance/ingress

Public internet ingress endpoints exposed from an instance.

actiondescription
listList ingress endpoints for an instance.
registerExpose a backend from an instance to the internet.

instance/notification

Lifecycle events representing instance status changes, such as running, terminated, or failed.

actiondescription
listList recent lifecycle events for instances.

instance/o11y/egress

Egress requests observed from instance(s).

actiondescription
listList egress records (per-instance or aggregated)

instance/o11y/logs

Streaming and historical log access for instance workloads.

actiondescription
getStream or fetch logs from an instance.

instance/o11y/metrics

Time-series resource usage metrics for instances, including CPU, memory, I/O, and storage.

actiondescription
getRetrieve resource usage metrics for an instance.

instance/o11y/oom

Out-of-memory (OOM) kill events detected within an instance.

actiondescription
listList OOM kill events for an instance.

network

network/fabric/segment

Isolated network segments enabling private connectivity between instances.

actiondescription
attachConnect to a private network segment.

tenant

Workspaces in the Namespace platform.

actiondescription
getRetrieve workspace details and configuration.

tenant/builder_config

Builder configuration for a workspace, including default and per-platform build instance types.

actiondescription
getRetrieve workspace builder configuration.
updateUpdate workspace builder configuration.

tenant/policies

Policy configuration for a workspace, including compute quotas and feature flags.

actiondescription
getRetrieve workspace policy settings and quotas.

tenant/usage

Compute and storage resource usage tracking for a workspace.

actiondescription
getRetrieve usage summary for a workspace.

testing

testing/test/logs

Streaming access to test execution logs for a specific test target.

actiondescription
streamStream logs for a test target execution.

testing/test/result

Individual test target results within a test run, including pass/fail status and duration.

actiondescription
listList test results within a run.
pushSubmit test results for a target.

testing/test/run

Top-level test execution sessions that group individual test results.

actiondescription
completeMark a test run as finished.
createStart a new test run.
getRetrieve details of a test run.
listList test runs.

token

token/revokable

Long-lived, explicitly revokable access tokens scoped to a workspace, with a maximum lifetime of 1 year.

actiondescription
createCreate a new revokable access token.
listList revokable tokens for a workspace.
refreshEnsure a token remains valid for at least a requested duration.
revokeRevoke a token to prevent further use.

vault

vault/object

Encrypted secret values stored in a workspace's vault, managed via the Vault API.

actiondescription
createCreate a new vault object.
deleteDelete a vault object.
describeRetrieve a vault object's metadata and decrypted value.
listList vault objects in the workspace.
updateAdd a new version to an existing vault object.

volume

Cache volumes (and their snapshot generations) used to persist and reuse data across instances and builds.

actiondescription
getRetrieve details for a cache volume, including destroyed snapshot generations.
listList cache volumes and their tag summaries.

volume/persistent

Persistent volumes that preserve data independently of instance lifecycles.

actiondescription
describeRetrieve persistent volume details.
destroyDestroy persistent volumes by ID or tag.
listList persistent volumes in the workspace.
Last updated