> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anchorage.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Permission groups

> Create permission groups and select the global and vault-level permissions each API key needs.

export function PermissionsExplorer() {
  const PERMISSIONS = [{
    category: 'Global',
    name: 'Initiate withdrawals',
    description: 'Initiate withdrawals to external destinations. All withdrawals require quorum approval through the Anchorage Digital mobile app.',
    tags: []
  }, {
    category: 'Global',
    name: 'Read sub-accounts',
    description: 'View read-only information for ledger subaccounts.',
    tags: ['Wealth Management', 'ETF']
  }, {
    category: 'Global',
    name: 'Write sub-accounts',
    description: 'Write to the ledger to manage ledger subaccounts.',
    tags: ['Wealth Management', 'ETF']
  }, {
    category: 'Global',
    name: 'Execute trades',
    description: 'Execute RFQs (all trade clients), and orders, WebSocket, and FIX trading (Wealth Management only). Requires the user to be an Authorized Trader.',
    tags: ['Trading']
  }, {
    category: 'Global',
    name: 'Read trades',
    description: 'Read all trades placed across trading accounts tied to your organization.',
    tags: []
  }, {
    category: 'Global',
    name: 'Read deposit attribution',
    description: 'Read all pending and completed deposit attributions.',
    tags: []
  }, {
    category: 'Global',
    name: 'Deposit attribution',
    description: 'Attribute deposits as known deposits or spam.',
    tags: []
  }, {
    category: 'Global',
    name: 'Configure webhooks',
    description: 'Configure and manage webhooks via REST API.',
    tags: []
  }, {
    category: 'Global',
    name: 'Onboarding',
    description: 'Onboard and manage Wealth Management end clients.',
    tags: ['Wealth Management']
  }, {
    category: 'Global',
    name: 'Initiate staking and unstaking',
    description: 'Initiate staking and unstaking operations from wallets.',
    tags: []
  }, {
    category: 'Global',
    name: 'Manage trusted destinations',
    description: 'Create and manage trusted destinations.',
    tags: []
  }, {
    category: 'Global',
    name: 'Manage collateral packages',
    description: 'Read collateral management package information.',
    tags: ['Collateral Management']
  }, {
    category: 'Global',
    name: 'Read statements',
    description: 'Read statements.',
    tags: ['Wealth Management']
  }, {
    category: 'Vault-level',
    name: 'Read',
    description: 'Read balances and transactions for the wallets within this vault.',
    tags: []
  }, {
    category: 'Vault-level',
    name: 'Create address',
    description: 'Create wallets and addresses within a vault.',
    tags: []
  }, {
    category: 'Vault-level',
    name: 'Transfer funds within Anchorage Digital',
    description: 'Transfer funds from that source vault to another vault within Anchorage Digital.',
    tags: []
  }, {
    category: 'Vault-level',
    name: 'Transfer funds outside of Anchorage Digital',
    description: 'Transfer funds from that source vault to an external trusted destination.',
    tags: []
  }, {
    category: 'Vault-level',
    name: 'Authorize settlements',
    description: 'Authorize Atlas settlement from that source vault.',
    tags: ['Atlas']
  }, {
    category: 'Vault-level',
    name: 'Propose and accept settlements',
    description: 'Propose and accept Atlas settlement from that source vault.',
    tags: ['Atlas']
  }];
  const TAG_COLORS = {
    'Wealth Management': {
      bg: '#dbeafe',
      color: '#1d4ed8'
    },
    'ETF': {
      bg: '#dbeafe',
      color: '#1d4ed8'
    },
    'Trading': {
      bg: '#f3e8ff',
      color: '#7c3aed'
    },
    'Atlas': {
      bg: '#fef3c7',
      color: '#b45309'
    },
    'Collateral Management': {
      bg: '#dcfce7',
      color: '#15803d'
    }
  };
  const ALL_TAGS = ['Wealth Management', 'ETF', 'Trading', 'Atlas', 'Collateral Management'];
  const [tab, setTab] = useState('Global');
  const [search, setSearch] = useState('');
  const [activeTag, setActiveTag] = useState(null);
  const filtered = PERMISSIONS.filter(function (p) {
    if (p.category !== tab) return false;
    if (activeTag && p.tags.indexOf(activeTag) === -1) return false;
    if (search) {
      var q = search.toLowerCase();
      return p.name.toLowerCase().indexOf(q) !== -1 || p.description.toLowerCase().indexOf(q) !== -1;
    }
    return true;
  });
  var containerStyle = {
    borderRadius: '12px',
    border: '1px solid #e4e5e7',
    overflow: 'hidden',
    margin: '1.5rem 0',
    fontFamily: 'inherit'
  };
  var tabBarStyle = {
    display: 'flex',
    alignItems: 'center',
    borderBottom: '1px solid #e4e5e7',
    background: '#f9fafb'
  };
  var activeTabStyle = {
    padding: '10px 20px',
    fontSize: '14px',
    fontWeight: 600,
    background: 'white',
    borderBottom: '2px solid #5580f6',
    color: '#5580f6',
    cursor: 'pointer',
    border: 'none',
    borderBottomWidth: '2px',
    borderBottomStyle: 'solid',
    borderBottomColor: '#5580f6'
  };
  var inactiveTabStyle = {
    padding: '10px 20px',
    fontSize: '14px',
    fontWeight: 500,
    background: 'transparent',
    color: '#6b7280',
    cursor: 'pointer',
    border: 'none',
    borderBottom: '2px solid transparent'
  };
  var searchStyle = {
    marginLeft: 'auto',
    padding: '6px 12px',
    borderRadius: '8px',
    border: '1px solid #d1d5db',
    fontSize: '13px',
    outline: 'none',
    width: '200px',
    marginRight: '12px'
  };
  var filterBarStyle = {
    display: 'flex',
    flexWrap: 'wrap',
    gap: '8px',
    padding: '10px 16px',
    borderBottom: '1px solid #e4e5e7',
    background: 'white'
  };
  var listStyle = {
    background: 'white'
  };
  var rowStyle = {
    padding: '14px 20px',
    borderBottom: '1px solid #f3f4f6'
  };
  var footerStyle = {
    padding: '8px 20px',
    borderTop: '1px solid #f3f4f6',
    background: '#f9fafb',
    fontSize: '12px',
    color: '#9ca3af'
  };
  return <div style={containerStyle}>
      <div style={tabBarStyle}>
        {['Global', 'Vault-level'].map(function (t) {
    return <button key={t} onClick={function () {
      setTab(t);
      setActiveTag(null);
      setSearch('');
    }} style={tab === t ? activeTabStyle : inactiveTabStyle}>
              {t}
            </button>;
  })}
        <input type="text" placeholder="Search permissions..." value={search} onChange={function (e) {
    setSearch(e.target.value);
  }} style={searchStyle} />
      </div>

      {tab === 'Global' && <div style={filterBarStyle}>
          <button onClick={function () {
    setActiveTag(null);
  }} style={{
    padding: '3px 12px',
    borderRadius: '999px',
    fontSize: '12px',
    fontWeight: 500,
    cursor: 'pointer',
    border: '1px solid',
    borderColor: activeTag === null ? '#5580f6' : '#d1d5db',
    background: activeTag === null ? '#5580f6' : 'white',
    color: activeTag === null ? 'white' : '#6b7280'
  }}>
            All
          </button>
          {ALL_TAGS.map(function (tag) {
    var colors = TAG_COLORS[tag];
    var isActive = activeTag === tag;
    return <button key={tag} onClick={function () {
      setActiveTag(isActive ? null : tag);
    }} style={{
      padding: '3px 12px',
      borderRadius: '999px',
      fontSize: '12px',
      fontWeight: 500,
      cursor: 'pointer',
      border: '1px solid',
      borderColor: isActive ? colors.color : '#d1d5db',
      background: isActive ? colors.bg : 'white',
      color: isActive ? colors.color : '#6b7280'
    }}>
                {tag}
              </button>;
  })}
        </div>}

      <div style={listStyle}>
        {filtered.length === 0 ? <div style={{
    padding: '32px',
    textAlign: 'center',
    color: '#9ca3af',
    fontSize: '14px'
  }}>
            No permissions match your filters.
          </div> : filtered.map(function (p) {
    return <div key={p.name} style={rowStyle}>
                <div style={{
      display: 'flex',
      flexWrap: 'wrap',
      alignItems: 'center',
      gap: '8px',
      marginBottom: '4px'
    }}>
                  <span style={{
      fontWeight: 600,
      fontSize: '14px',
      color: '#111827'
    }}>{p.name}</span>
                  {p.tags.map(function (tag) {
      var colors = TAG_COLORS[tag];
      return <span key={tag} style={{
        padding: '2px 8px',
        borderRadius: '999px',
        fontSize: '11px',
        fontWeight: 500,
        background: colors.bg,
        color: colors.color
      }}>
                        {tag}
                      </span>;
    })}
                </div>
                <p style={{
      margin: 0,
      fontSize: '13px',
      color: '#6b7280',
      lineHeight: '1.5'
    }}>{p.description}</p>
              </div>;
  })}
      </div>

      <div style={footerStyle}>
        {filtered.length} permission{filtered.length !== 1 ? 's' : ''}
      </div>
    </div>;
}

export const AnnotatedImage = ({src, alt = "", annotations = [], width, style = {}}) => {
  const [active, setActive] = useState(null);
  const containerStyle = {
    position: "relative",
    display: "block",
    width: width ?? "100%",
    ...style
  };
  const imgStyle = {
    display: "block",
    width: "100%",
    height: "auto",
    borderRadius: "8px"
  };
  return <div style={containerStyle}>
      <img src={src} alt={alt} style={imgStyle} />

      {annotations.map((ann, i) => {
    const isActive = active === i;
    const color = ann.color ?? "#e53e3e";
    const rectStyle = {
      position: "absolute",
      left: ann.x + "%",
      top: ann.y + "%",
      width: ann.width + "%",
      height: ann.height + "%",
      border: "2px solid " + color,
      background: isActive ? color + "26" : color + "12",
      boxShadow: isActive ? "0 0 0 1px " + color + "59, inset 0 0 0 1px " + color + "33" : "none",
      borderRadius: "3px",
      cursor: "default",
      transition: "background 120ms ease, box-shadow 120ms ease",
      zIndex: isActive ? 100 : 10,
      boxSizing: "border-box"
    };
    const flipAbove = ann.y + ann.height > 60;
    const flipLeft = ann.x > 50;
    const bubbleStyle = {
      position: "absolute",
      ...flipAbove ? {
        bottom: "calc(100% + 8px)"
      } : {
        top: "calc(100% + 8px)"
      },
      ...flipLeft ? {
        right: 0
      } : {
        left: 0
      },
      minWidth: "180px",
      maxWidth: "260px",
      padding: "10px 13px",
      background: "var(--background, #fff)",
      border: "1px solid var(--ad-border, #e4e5e7)",
      borderRadius: "10px",
      boxShadow: "0 8px 24px rgba(20,20,21,0.12)",
      pointerEvents: "none",
      zIndex: 9999,
      opacity: isActive ? 1 : 0,
      transition: "opacity 120ms ease",
      whiteSpace: "normal"
    };
    return <div key={i} style={rectStyle} onMouseEnter={() => setActive(i)} onMouseLeave={() => setActive(null)}>
            <div style={bubbleStyle} role="tooltip">
              {ann.label && <div style={{
      fontSize: "13px",
      fontWeight: 700,
      marginBottom: ann.description ? "4px" : 0,
      color
    }}>
                  {ann.label}
                </div>}
              {ann.description && <div style={{
      fontSize: "12.5px",
      lineHeight: 1.45,
      opacity: 0.7
    }}>
                  {ann.description}
                </div>}
            </div>
          </div>;
  })}
    </div>;
};

A permission group is a reusable rule set that defines what actions an API key can perform, scoped to a single vault or across multiple vaults. An API key's capabilities come from the group assigned to it, not the key itself, so the group is where you decide what an integration can do.

By default, Anchorage Digital vaults don't allow API access. To enable it, an administrator either creates a permission group with the permissions each vault needs, or creates a key using the default read-only group.

<CardGroup cols={2}>
  <Card title="Quorum-enforced" icon="face-viewfinder">
    Any activity related to permission groups requires quorum approval, so changes stay in the hands of your trusted admins.
  </Card>

  <Card title="Flexible" icon="users-between-lines">
    Set up multiple permission groups and create as many API keys as you need under each group.
  </Card>

  <Card title="Inherited" icon="hands-holding-child">
    Updates to a permission group propagate to all of its API keys. Deleting a group invalidates every key within it.
  </Card>

  <Card title="Read-only by default" icon="readme">
    Each organization starts with a default read-only permission group, which you can modify at any time.
  </Card>
</CardGroup>

<Frame caption="Example of permission groups">
  <AnnotatedImage
    src="/images/diagrams/permissions-diagram.png"
    alt="Dashboard"
    annotations={[
{ x: 3, y: 56, width: 65, height: 32, label: "Inheritance", description: "Every API key gets the updates applied to the permission group it belongs to." },
{ x: 21, y: 10, width: 76, height: 30, label: "", description: "Multiple groups, granular key controls" },
]}
  />
</Frame>

<Tip>
  **Permission group segregation**

  Most clients create a permission group per team or end-user group, with one key for each. For example:

  * Admin permission group — full permissions
  * Operations — limited to reading balances and internal transfers
  * Accounting — read only
</Tip>

## How to create a permission group

<Steps>
  <Step title="Access the API section">
    From the homepage, select **Developers**, then **API 2.0** to access Anchorage Digital APIs, then select **Create new group**.
  </Step>

  <Step title="Configure the group">
    Give the permission group a name and select the appropriate global and vault-level permissions.
  </Step>

  <Step title="Endorse and approve">
    Optionally add a comment, then select **Endorse** to create the group. Follow the prompts to submit biometric approval through the mobile app — quorum approval is required. After quorum is met, Anchorage Digital reviews the group for approval.
  </Step>
</Steps>

To edit or delete a permission group, select the three-dot menu next to the group details. Edits and deletions also require quorum approval.

## Permission levels

When you create a permission group, your selections determine which APIs the associated keys can call. There are two levels of vault permissions.

### Global permissions

Global permissions sit across all of your vaults, not just one. If a key has the global **Initiate withdrawals** permission, it can initiate a withdrawal from any of your vaults. Withdrawals still require quorum approval.

### Vault-level permissions

Vault-level permissions are specific to a single vault. If a key has vault-level **Internal Transfer** permissions, it can initiate a transfer only from that source vault, or the wallets within it.

### All-vaults

The all-vaults option lets all current and future vaults inherit a permission. Even if a vault changes names or moves to a different account, any key keeps the permission.

## Permissions reference

| Category    | Permission                                    | Description                                                                                                                      | Use case                                                            |
| :---------- | :-------------------------------------------- | :------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------ |
| Global      | Initiate withdrawals                          | Initiate withdrawals to external destinations. All withdrawals require quorum approval through the Anchorage Digital mobile app. |                                                                     |
| Global      | Read sub-accounts                             | View read-only information for ledger subaccounts.                                                                               | Wealth Management and ETF only                                      |
| Global      | Write sub-accounts                            | Write to the ledger to manage ledger subaccounts.                                                                                | Wealth Management and ETF only                                      |
| Global      | Execute trades                                | All trade clients: execute RFQs. Wealth Management only: orders, WebSocket, and FIX trading.                                     | Trading clients only. Requires the user to be an Authorized Trader. |
| Global      | Read trades                                   | Read all trades placed across trading accounts tied to your organization.                                                        |                                                                     |
| Global      | Read deposit attribution                      | Read all pending and completed deposit attributions.                                                                             |                                                                     |
| Global      | Deposit attribution                           | Attribute deposits as known deposits or spam.                                                                                    |                                                                     |
| Global      | Configure webhooks                            | Configure and manage webhooks via REST API.                                                                                      |                                                                     |
| Global      | Onboarding                                    | Onboard and manage Wealth Management end clients.                                                                                | Wealth Management only                                              |
| Global      | Initiate staking and unstaking                | Initiate staking and unstaking operations from wallets.                                                                          |                                                                     |
| Global      | Manage trusted destinations                   | Create and manage trusted destinations.                                                                                          |                                                                     |
| Global      | Manage collateral packages                    | Read collateral management package information.                                                                                  | Collateral Management only                                          |
| Global      | Read statements                               | Read statements.                                                                                                                 | Wealth Management only                                              |
| Vault-level | Read                                          | Read balances and transactions for the wallets within this vault.                                                                |                                                                     |
| Vault-level | Create address                                | Create wallets and addresses within a vault.                                                                                     |                                                                     |
| Vault-level | Transfer funds — within Anchorage Digital     | Transfer funds from that source vault.                                                                                           |                                                                     |
| Vault-level | Transfer funds — outside of Anchorage Digital | Transfer funds from that source vault.                                                                                           |                                                                     |
| Vault-level | Authorize settlements                         | Authorize Atlas settlement from that source vault.                                                                               | Atlas clients only                                                  |
| Vault-level | Propose and accept settlements                | Propose and accept Atlas settlement from that source vault.                                                                      | Atlas clients only                                                  |

<PermissionsExplorer />

Each API requires a specific permission tied to the permission group, and to the key that belongs to it. Use this table to map the permission you select to the operations it unlocks.

<Frame caption="API permissions by endpoint">
  ![API permissions by endpoint](https://files.readme.io/e46f4df3be44047a3050ad52aa2a000495c6bc31f1d8a326d085e8f2e50f16ae-image.png)
</Frame>

Once your group is approved, [create an API key](/knowledge-base/platform/developers/api-keys) and assign it to the group.
