Roles and Permissions
Access control over your analytics data should live on your infrastructure — not in a third-party identity cloud you don’t control. HitKeep’s role-based access control (RBAC) is enforced entirely on your instance, with granular roles at both the instance level and per site.
Instance Roles
Section titled “Instance Roles”Instance roles apply across the entire HitKeep installation.
| Role | Permissions |
|---|---|
owner | Full access — users, all sites, system settings |
admin | Can view all sites; cannot modify system settings |
user | Access only to explicitly assigned sites |
Change a user’s instance role (admin only):
curl -X POST https://your-hitkeep.example/api/admin/users/{user_id}/role \ -H "Content-Type: application/json" \ -b "hk_token=ADMIN_SESSION_COOKIE" \ -d '{"role": "admin"}'Site Roles
Section titled “Site Roles”Site roles are scoped per user, per site. A user can be a viewer on one site and an owner on another.
| Role | What they can do |
|---|---|
owner | Full site access — data, goals, funnels, team, retention settings |
admin | Manage data, goals, funnels, and team members |
editor | Create and edit goals and funnels |
viewer | Read-only access to dashboard and analytics |
Add a Member to a Site
Section titled “Add a Member to a Site”curl -X POST https://your-hitkeep.example/api/sites/{site_id}/members \ -H "Content-Type: application/json" \ -b "hk_token=YOUR_SESSION_COOKIE" \ -d '{"email": "teammate@example.com", "role": "viewer"}'An invitation email is sent to the address. The user accepts via a link — no admin approval flow required on your end.
Remove a Member
Section titled “Remove a Member”curl -X DELETE https://your-hitkeep.example/api/sites/{site_id}/members/{user_id} \ -b "hk_token=YOUR_SESSION_COOKIE"Check Permissions
Section titled “Check Permissions”# Current user's permissions across all sitescurl https://your-hitkeep.example/api/user/permissions \ -b "hk_token=YOUR_SESSION_COOKIE"Service Accounts and API Access
Section titled “Service Accounts and API Access”For CI pipelines, integrations, or automated dashboards, use API Clients instead of sharing user credentials. API client tokens are bearer tokens that can be revoked individually without affecting any other user or session.
Related
Section titled “Related”HitKeep Cloud adds managed user provisioning with per-tenant data isolation — your organization’s analytics are never co-mingled with another customer’s. Join the waitlist →