Source: https://datafa.st/docs/cli-permissions
Markdown source: https://datafa.st/docs/cli-permissions.md
Description: Understand what owners, members, and viewers can do, and which token permissions each operation requires.

# CLI — Permissions and roles

Use this page as a quick reference for **token types**, **website roles**, and **API token permissions**.

## Website roles

DataFast has 3 website roles:

- **Owner** — full control, including destructive/team-owner actions. Responsible for the billing.
- **Member** — can manage most website data/settings, but not owner-only actions
- **Viewer** — read-only access

## Role matrix

| Operation | Owner | Member | Viewer |
|---|---|---|---|
| Read data | ✅ | ✅ | ✅ |
| Update settings | ✅ | ✅ | ❌ |
| Manage API keys | ✅ | ✅ | ❌ |
| Manage alerts | ✅ | ✅ | ❌ |
| Manage funnels | ✅ | ✅ | ❌ |
| Manage goals | ✅ | ✅ | ❌ |
| Manage payments | ✅ | ✅ | ❌ |
| Invite/remove team | ✅ | ❌ | ❌ |
| Delete website | ✅ | ❌ | ❌ |
| Billing | ✅ | ❌ | ❌ |

Permission mapping:

- Read data → `*:read` (for example `analytics:read`, `settings:read`)
- Update settings → `settings:write`
- Manage API keys → `api-keys:write`
- Manage alerts → `alerts:write`
- Manage funnels → `funnels:write`
- Manage goals → `goals:write`
- Manage payments → `settings:write` and/or `payments:write`
- Invite/remove team → `team:write` + owner check
- Delete website → `websites:write` + owner check

> Some actions require both token permission **and** an owner-only guard in the API (team invite/remove, website delete).

## Token types

DataFast has two token types. Use the one that matches what you want the CLI, script, or AI agent to do.

### 1) `dft_` account token

Use this for the normal CLI setup. When you run `datafast login`, the CLI opens the [DataFast dashboard API tab](https://datafa.st/dashboard/settings?tab=api) so you can create this account-level token.

A `dft_` token can run account and website commands, depending on its permissions and your website role:

- Account commands: `whoami`, `tokens`, account settings
- Website management: `websites`, `alerts`, `funnels`, API keys, team management, settings
- Analytics commands for any website the token can access

For analytics commands with a `dft_` token, pass `--website <websiteId>` or set a default once:

```sh
datafast config set-website <websiteId>
```

### 2) `df_` website API key

Use this when you only want analytics/API access for one website. Create it manually in **Website settings → API**, or from the CLI with [`datafast websites apikeys create`](/docs/cli-websites#website-api-keys-df).

A `df_` key is scoped to one website. It is good for read-only analytics, scripts, and AI agents that should not manage your whole account.

Analytics commands do not need `--website` with a `df_` key because the website is already attached to the key.

> Rule of thumb: use `dft_` for managing DataFast, and `df_` for reading analytics from one website. See the [API authentication docs](/docs/api-introduction) for website API keys.

### Token permission cheatsheet

When creating tokens (`datafast tokens create`), these are the most common permissions:

- **Read-only dashboard data:** `analytics:read,websites:read,settings:read,alerts:read,funnels:read,goals:read`
- **Website settings management:** `settings:write`
- **Website API key management:** `api-keys:write`
- **Team management:** `team:write` (owner-only endpoints still require owner role)
- **Everything:** `*`

### Examples

```sh
# Read-only token
datafast tokens create --name "Read only" --permissions "analytics:read,websites:read,settings:read,alerts:read,funnels:read,goals:read"

# Member-level operations (settings + website API keys)
datafast tokens create --name "Ops" --permissions "settings:write,api-keys:write,alerts:write,funnels:write,goals:write"

# Full access
datafast tokens create --name "Admin" --permissions "*"
```