# Authority & Roles

The `/admin` page in Studio is where you grant and revoke on-chain roles for your branded point and PSPVault. Every role grant or revoke is an on-chain transaction signed by an address holding `DEFAULT_ADMIN_ROLE` (or the role's specific admin role).

## What `/admin` Shows

The page surfaces three things:

* **Current role-holder roster.** Every address holding any role on your Factory and PSPVault, grouped by role.
* **Grant / revoke modal.** Pick a role, enter an address, sign the transaction.
* **Organization membership.** Add or remove members of your Studio organization (separate from on-chain roles).

## Granting a Role

| Path                 | Where                                                                          |
| -------------------- | ------------------------------------------------------------------------------ |
| Studio UI            | `/admin` → Grant role (or `/campaigns/:id` → Authority tab for PSPVault roles) |
| SDK (Factory roles)  | `factory.grantRole(role, account)`                                             |
| SDK (PSPVault roles) | `pendingSPVault.grantRole(role, account)`                                      |
| HTTP API (Factory)   | `POST /studio/sdk/v1/tx/role/grant`                                            |
| HTTP API (PSPVault)  | `POST /studio/sdk/v1/tx/psp/grant-role`                                        |

All paths produce an unsigned transaction; the caller signs with a wallet that holds the appropriate admin role. Use the role names from the [Roles & Access](/spreefinance/spree-studio/roles-and-access.md) table as identifiers.

PSPVault role grants — notably `ISSUING_ADMIN_ROLE` — are also surfaced on each campaign's **Authority** tab in addition to `/admin`, so you can grant minter authority directly next to the campaign you're delegating. The on-chain effect is identical: the role is global on the vault, regardless of which page you grant it from. For scoped per-campaign delegation, see the [Whitelist Management → Partner A → Partner B walkthrough](/spreefinance/spree-studio/whitelist-management.md#worked-example-partner-a--partner-b-partial-delegation).

## Revoking a Role

Symmetric to grant:

| Path                | Where                                      |
| ------------------- | ------------------------------------------ |
| Studio UI           | `/admin` → Revoke role                     |
| SDK (Factory)       | `factory.revokeRole(role, account)`        |
| SDK (PSPVault)      | `pendingSPVault.revokeRole(role, account)` |
| HTTP API (Factory)  | `POST /studio/sdk/v1/tx/role/revoke`       |
| HTTP API (PSPVault) | `POST /studio/sdk/v1/tx/psp/revoke-role`   |

## Reading Role State

Read paths are free — no transaction, no gas:

| Path                   | Where                                                                      |
| ---------------------- | -------------------------------------------------------------------------- |
| Studio UI              | `/admin` shows the live roster                                             |
| SDK                    | `factory.hasRole(role, account)` / `pendingSPVault.hasRole(role, account)` |
| HTTP API (all holders) | `GET /studio/integrations/:deploymentId/roles`                             |
| HTTP API (one role)    | `GET /studio/integrations/:deploymentId/roles/:roleType`                   |
| HTTP API (one wallet)  | `GET /studio/integrations/:deploymentId/roles/account/:address`            |

Always read post-grant state before claiming an action is complete — confirm the role appears on the holder you intended.

## Best Practices

* **Prefer narrow roles.** When delegating to external operators, grant `CAMPAIGN_ADMIN_ROLE` or `ISSUING_ADMIN_ROLE` on the PSPVault rather than `MANAGER_ROLE` on the Factory.
* **Treat `DEFAULT_ADMIN_ROLE` as multisig-only.** Migrate it from the deployer wallet to a Safe before launching to mainnet.
* **Read after every write.** Don't trust transaction success alone; verify the role appears on the address you intended.
* **Revoke as part of off-boarding.** Every external operator's role grant should have a corresponding revocation in your SOP.

## Worked Example

For a complete partner-delegation walkthrough — configuring an external partner as a per-campaign delegated minter via `setMinter(...)`, verifying scoped authority, and revoking at engagement end — see [Whitelist Management → Partner A → Partner B partial delegation](/spreefinance/spree-studio/whitelist-management.md#worked-example-partner-a--partner-b-partial-delegation).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://spree-finance.gitbook.io/spreefinance/spree-studio/authority-and-roles.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.