Access Control - Cal.com Docs

Organization and team API endpoints use two layers of access control: roles and PBAC (Permission-Based Access Control). Roles are the default mechanism — every endpoint requires a minimum membership role. PBAC is an opt-in feature that adds fine-grained permissions on top.

Roles

Every organization and team endpoint requires the authenticated user to have a membership with a minimum role. There are three roles, from highest to lowest privilege:

Level	Roles (highest to lowest)
Organization	`owner` > `admin` > `member`
Team	`owner` > `admin` > `member`

Role hierarchy

Higher roles can access endpoints that require a lower role. For example, if an endpoint requires admin, a user with the owner role can also access it.

Organization roles grant team access

Organization-level roles carry over to team endpoints:

Org admin or owner can access any team endpoint, regardless of team membership or the required team role. Organization level is above team level in terms of permissions.
Org member must have a separate team membership. Their team role is then checked against the required team role.

For example, if a team endpoint requires team admin:

A user with org admin or org owner membership can access it directly — no team membership needed.
A user with org member membership needs a team admin (or team owner) membership in that specific team.

Managing memberships

Use these endpoints to manage organization and team memberships: Organization memberships

Method	Endpoint
`POST`	`/v2/organizations/{orgId}/memberships`
`GET`	`/v2/organizations/{orgId}/memberships`
`GET`	`/v2/organizations/{orgId}/memberships/{membershipId}`
`PATCH`	`/v2/organizations/{orgId}/memberships/{membershipId}`
`DELETE`	`/v2/organizations/{orgId}/memberships/{membershipId}`

Team memberships

Method	Endpoint
`POST`	`/v2/organizations/{orgId}/teams/{teamId}/memberships`
`GET`	`/v2/organizations/{orgId}/teams/{teamId}/memberships`
`GET`	`/v2/organizations/{orgId}/teams/{teamId}/memberships/{membershipId}`
`PATCH`	`/v2/organizations/{orgId}/teams/{teamId}/memberships/{membershipId}`
`DELETE`	`/v2/organizations/{orgId}/teams/{teamId}/memberships/{membershipId}`

PBAC (Permission-Based Access Control)

PBAC is an opt-in feature enabled per organization. It lets you define custom roles with specific permissions for organization members. Instead of relying solely on admin/member roles, you can create granular roles like “Booking Manager” or “Team Lead” that have access to only the endpoints they need.

How it works

Each endpoint has both a required membership role and a PBAC permission (e.g. eventType.update). Access is determined as follows:

PBAC is not enabled — the system checks if the authenticated user has a membership with the required role (e.g. org admin). Users with a higher role (e.g. org owner) can also access endpoints that require a lower role.
PBAC is enabled and user has the required permission — access is granted and the membership role check is skipped.
PBAC is enabled but user is missing the permission — falls back to the membership role check in step 1.

Setting up PBAC

Create a custom role with specific permissions using the Roles API
Assign the role to an organization or team membership
When the member makes API requests, PBAC checks if their role includes the required permission for that endpoint

Managing roles and permissions

Use the following endpoints to create roles, assign permissions, and manage access for your organization members.

Roles

Method	Endpoint
`POST`	`/v2/organizations/{orgId}/roles`
`GET`	`/v2/organizations/{orgId}/roles`
`GET`	`/v2/organizations/{orgId}/roles/{roleId}`
`PATCH`	`/v2/organizations/{orgId}/roles/{roleId}`
`DELETE`	`/v2/organizations/{orgId}/roles/{roleId}`

Role permissions

Method	Endpoint
`POST`	`/v2/organizations/{orgId}/roles/{roleId}/permissions`
`GET`	`/v2/organizations/{orgId}/roles/{roleId}/permissions`
`PUT`	`/v2/organizations/{orgId}/roles/{roleId}/permissions`
`DELETE`	`/v2/organizations/{orgId}/roles/{roleId}/permissions/{permission}`
`DELETE`	`/v2/organizations/{orgId}/roles/{roleId}/permissions`

Endpoint descriptions

Each organization and team endpoint description mentions the minimum membership role and PBAC permission required to access it.

Getting Started

Orgs / Attributes

Orgs / Attributes / Options

Orgs / Bookings

Orgs / Delegation Credentials

Orgs / Memberships

Orgs / Roles

Orgs / Roles / Permissions

Orgs / Routing forms

Orgs / Schedules

Orgs / Teams

Orgs / Teams / Bookings

Orgs / Teams / Conferencing

Orgs / Teams / Event Types

Orgs / Teams / Event Types / Private Links

Orgs / Teams / Invite

Orgs / Teams / Memberships

Orgs / Teams / Roles

Orgs / Teams / Roles / Permissions

Orgs / Teams / Routing forms

Orgs / Teams / Routing forms / Responses

Orgs / Teams / Schedules

Orgs / Teams / Stripe

Orgs / Teams / Users / Schedules

Orgs / Teams / Workflows

Orgs / Users

Orgs / Users / Bookings

Orgs / Users / OOO

Orgs / Users / Schedules

Orgs / Webhooks

Api Keys

Bookings

Bookings / Attendees

Bookings / Guests

Cal Unified Calendars

Calendars

Conferencing

Deprecated: Platform / Managed Users

Deprecated: Platform / Webhooks

Deprecated: Platform OAuth Clients

Destination Calendars

Event Types

Event Types / Webhooks

Event Types Private Links

Managed Orgs

Me

OAuth2

Organization Team Verified Resources

Out of Office

Routing forms

Schedules

Selected Calendars

Slots

Stripe

Teams

Teams / Bookings

Teams / Event Types

Teams / Event Types / Webhooks

Teams / Invite

Teams / Memberships

Teams / Schedules

Teams / Users / OOO

Teams Verified Resources

Verified Resources

Webhooks

​Roles

​Role hierarchy

​Organization roles grant team access

​Managing memberships

​PBAC (Permission-Based Access Control)

​How it works

​Setting up PBAC

​Managing roles and permissions

​Roles

​Role permissions

​Endpoint descriptions

Roles

Role hierarchy

Organization roles grant team access

Managing memberships

PBAC (Permission-Based Access Control)

How it works

Setting up PBAC

Managing roles and permissions

Roles

Role permissions

Endpoint descriptions