Admin workflows
You'll: grant a tenant_admin role, audit quota usage at the partner and tenant level, and rotate a webhook signing secret. These are the operator workflows you'll do most often.
All examples use the Python SDK's admin sub-client. The same operations are available in the browser at /admin/; this tutorial covers the programmatic / scripted version.
Setup#
You need a token with admin-level scope. For the SDK that means authenticating as a user who holds at least tenant_admin (or higher) for the operations below:
1 2 3 4 5 6 7 8 9 10 11 12 13 | |
Workflow 1 — Grant a role#
A new colleague joins the marketing tenant. Make them a tenant_admin:
1 2 3 4 5 6 7 8 | |
Confirm the grant:
1 2 3 | |
Revoke later if needed:
1 | |
Revocation stamps revoked_at on the row — it stays in the database for audit. You can still list it with include_revoked=True.
Role precedence cheat sheet#
| Need to grant… | …requires at least |
|---|---|
member on tenant X |
tenant_admin on X (or higher in scope) |
tenant_admin on tenant X |
partner_admin on X's partner (or superadmin) |
partner_admin on partner Y |
superadmin |
superadmin |
superadmin |
The server enforces this — attempts to grant above your level get a 403.
Workflow 2 — Partner quota rollup#
End of month — check how much your partner's tenants used:
1 2 3 4 5 6 7 8 9 10 11 12 13 | |
Output:
1 2 3 4 5 6 7 8 9 | |
The tnt_alpha over-quota signal is real: tenants over 100% are returning 429 to their callers. Bump their quota (code change in _DEFAULTS for now; per-tenant overrides arrive in v1.x) or have a conversation.
Other axes work the same way:
1 2 3 | |
Workflow 3 — Per-user breakdown within a tenant#
Someone's tenant got a 429 yesterday. Who's responsible?
1 2 3 4 5 6 7 8 9 10 | |
Output:
1 2 3 4 5 6 | |
A batch job ran the tenant into the ceiling. Decide: rate-limit the batch, raise the tenant's quota, or move the batch to its own tenant.
Coverage matrix reminder#
The coverage field reports whether per-user attribution is available for the axis:
| Axis | Coverage |
|---|---|
renders_per_day |
full (from the quota_periods_user table) |
documents_count |
full (from Spec.created_by of v1 specs) |
assets_bytes |
none — Asset/Font tables don't track created_by yet |
templates_count |
none — Template table doesn't track created_by yet |
When coverage is none, per_user is empty and note explains. v1.x will close those gaps.
Workflow 4 — Rotate a webhook signing secret#
ScaiKey webhook calls into /v1/internal/scaikey/webhook carry an HMAC signature computed with a shared secret. Rotate when you suspect compromise or as part of a routine quarterly drill:
1 2 3 4 5 6 | |
Sample output:
1 2 3 4 5 6 | |
The new secret is shown once. Do this immediately:
- Open the ScaiKey admin panel; navigate to the ScaiScribe application's webhook settings.
- Paste the new secret in the secret field. Save.
- SSH to the ScaiScribe backend host. Edit
.env:bash1SCAISCRIBE_SCAIKEY_WEBHOOK_SECRET=<the-new-secret> - Restart the API process:
systemctl restart scaiscribe-api(or equivalent). - Confirm: trigger a webhook (e.g. a ScaiKey user update) and check the access log for
200.
Between step 1 and step 4, webhook events return 401 (signature mismatch). Plan the rotation for a maintenance window or accept a brief gap in user-sync events — the daily reconciliation at 03:00 UTC catches anything missed.
Workflow 5 — Inspect a failed job#
A render came back 500. What happened?
1 2 3 4 5 6 7 8 9 10 11 12 13 | |
Sample output for a failed PDF render:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | |
The error envelope mirrors what the caller saw. Combined with the operation and document/version refs, you can reproduce the failure locally.
Going further#
- The admin SPA at
/admin/exposes all of these workflows in a browser UI. Use it for ad-hoc exploration. - The runbook at
docs/manual/operations/runbook.md(operator manual) lists health-check endpoints, common-task recipes, troubleshooting, and capacity signals. - For batch operations (e.g. grant the same role to 50 users), script with the SDK — the admin sub-client is idempotent where it can be and surfaces structured errors where it can't.
Where to next#
- Concepts → Auth + quotas — the model behind the rollup endpoints.
- Reference → SDKs — admin sub-client method-by-method coverage matrix.
- Reference → API —
/v1/admin/*shapes.