Autional Autional
API Reference GitHub autional.com →

POST /admin/roles/{role_id}/approval-requests

Create an approval request for role changes (e.g., assign or remove a role for a user). After submission, it enters the approval workflow and awaits admin approval. References: NIST SP 800-53 AC-2 (Account Management), AC-5 (Separation of Duties), OWASP ASVS V1.2 (Access Control Architecture).

RBAC - Approval `bearerAuth` application/json

Request Parameters

NameInTypeRequiredDefaultExampleConstraintsDescription
role_id path string Yes Role ID

Request Body

Schema: gitee_com_linmes_authms_micro-services_rbac-service_internal_handler_dto.RequestApprovalRequest

FieldTypeRequiredExampleConstraintsDescription
action string Yes Action
target_id string Yes Target ID
expire_at string No Expiration time
payload string No Additional data

Responses

StatusDescriptionSchema
201Approval request created successfullygitee_com_linmes_authms_base_dto.DataResponse-gitee_com_linmes_authms_micro-services_rbac-service_internal_handler_dto_ApprovalRequestResponse
400Invalid request parametersdto.Problem
401Unauthenticateddto.Problem
403Forbidden (non-admin)dto.Problem
404Role not founddto.Problem
409A pending request of the same type already existsdto.Problem
500Internal server errordto.Problem

Referenced Schemas

dto.FieldViolation

FieldTypeRequiredExampleConstraintsDescription
code string No Code is the error code (optional) used by programs to identify error types, e.g., "required", "format", "range"
description string No Description is a human-readable error description that should explain which rule was violated, e.g., "Must be a valid email address"
field string No Field is the path to the error field, using dot notation for nested fields, e.g., "user.email" or "addresses[0].city"
value object No Value is the value that caused the error (optional, used in development mode); may not be returned in production to avoid leaking sensitive information

dto.Problem

FieldTypeRequiredExampleConstraintsDescription
code integer No Code is the business error code used by programs to handle specific error scenarios. Example: 30101001
detail string No Detail is a human-readable explanation specific to this error instance, which may include specific error details, e.g., "Field 'email' is required"
errors array of

See dto.FieldViolation

No Errors is a list of field-level validation errors (extension field), following Web API standard practices, each error contains the field name and error message
i18n_args object No I18nArgs are internationalization parameters used to dynamically fill translation templates
i18n_key string No I18nKey is the internationalization key used for client-side localization of error messages. Example: "error.user_not_found"
instance string No Instance is the specific URI reference where the problem occurred, usually the request URL, possibly including query parameters. Example: "/api/v1/users?limit=invalid"
request_id string No RequestID is the unique request identifier used for log correlation and issue tracking. Example: "req_550e8400-e29b-41d4-a716-446655440000"
retry_after integer No RetryAfter is used for 429 Too Many Requests responses, indicating how many seconds the client should wait before retrying (RFC 6585)
service string No Service is the service name used in microservice architectures to locate the error source. Example: "auth-service"
span_id string No SpanID is the current span identifier used to precisely locate the current node in a distributed trace
status integer No Status is the HTTP status code generated, used by clients to distinguish problem types, does not change with Accept-Language. Example: 400, 401, 403, 404, 500
timestamp string No Timestamp is the time the error occurred, in ISO 8601 format. Example: "2026-04-03T12:00:00Z"
title string No Title is a short, human-readable summary of the problem type; the same Type should always have the same Title (does not vary by instance). Example: "Invalid Request Parameters"
trace_id string No TraceID is the distributed tracing identifier, following the W3C Trace Context standard. Example: "00-0af7651916cd43dd8448eb211c80319c-b7ad6b7169203331-01"
type string No Type is a URI reference that identifies the problem type; when dereferenced, it should provide human-readable documentation. Example: "https://api.example.com/errors/invalid-request"

gitee_com_linmes_authms_base_dto.DataResponse-gitee_com_linmes_authms_micro-services_rbac-service_internal_handler_dto_ApprovalRequestResponse

FieldTypeRequiredExampleConstraintsDescription
code integer No
data gitee_com_linmes_authms_micro-services_rbac-service_internal_handler_dto.ApprovalRequestResponse No
message string No
timestamp string No

gitee_com_linmes_authms_micro-services_rbac-service_internal_handler_dto.ApprovalRequestResponse

FieldTypeRequiredExampleConstraintsDescription
action string No assign_role
created_at string No 2026-04-15T10:30:00Z
id string No 01ARZ3NDEKTSV4RRFFQ69G5FAV
payload string No {}
reason string No
requester_id string No usr_example_001
reviewer_id string No usr_example_003
role_id string No 01ARZ3NDEKTSV4RRFFQ69G5FAV
status string No pending
target_id string No usr_example_002
tenant_id string No tnt_example_001