> ## Documentation Index > Fetch the complete documentation index at: https://onecli.sh/docs/llms.txt > Use this file to discover all available pages before exploring further. # Set app permissions > Updates tool-level permissions for a provider. Requires admin role. ## OpenAPI ````yaml /openapi.yaml put /org/rules/permissions/{provider} openapi: 3.1.0 info: title: OneCLI API version: '1.0' description: > The OneCLI API lets you manage agents, secrets, policy rules, app connections, and user settings programmatically. **Base URL:** `https://api.onecli.sh/v1` (Cloud) or `http://localhost:10254/v1` (self-hosted) ## Authentication All endpoints require authentication via one of: - **API Key** — `Authorization: Bearer ` header. Generate keys in the dashboard or via `GET /v1/user/api-key`. - **Session** — Cookie-based session from the web dashboard. For organization-scoped API keys, include the `X-Project-Id` header to specify which project to operate on. servers: - url: https://api.onecli.sh/v1 description: OneCLI Cloud - url: http://localhost:10254/v1 description: Self-hosted (Docker) security: - bearerAuth: [] tags: - name: Agents description: Manage agents and their access tokens, secrets, and configuration. - name: Secrets description: Manage credentials that the gateway injects into outbound requests. - name: Rules description: >- Manage policy rules that control how agents interact with external services. - name: User description: Manage your user profile and API keys. - name: Projects description: >- Manage projects within your organization. Requires admin role for create/update and owner role for delete. Cloud only. - name: Team description: Provision team members programmatically. Requires admin role. Cloud only. - name: Apps description: >- Manage app connections (OAuth and direct credentials) and BYOC configuration. - name: Organization Secrets description: >- Manage secrets at the organization level. Organization secrets apply across all projects. Cloud only. - name: Organization Rules description: >- Manage policy rules at the organization level. Organization rules apply across all projects. Cloud only. - name: Organization Connections description: Manage app connections at the organization level. Cloud only. - name: Organization App Config description: Manage BYOC app configuration at the organization level. Cloud only. - name: Partner Organizations description: >- Create and manage customer organizations as a partner. Requires a Partner API key. Cloud only. - name: Partner Projects description: Manage projects within an unclaimed partner organization. Cloud only. - name: Partner Secrets description: >- Manage partner-level secrets inherited by every organization you manage. Cloud only. - name: Partner Budgets description: >- Cap how much an organization can spend on a partner LLM key. Owner or admin only. Cloud only. - name: Partner Members description: >- Manage who can sign in to your partner portal. Owner or admin only. Cloud only. - name: Organization Partner description: Inspect and detach an organization's partner relationship. Cloud only. paths: /org/rules/permissions/{provider}: put: tags: - Organization Rules summary: Set app permissions description: Updates tool-level permissions for a provider. Requires admin role. operationId: setAppPermissions parameters: - $ref: '#/components/parameters/provider' requestBody: required: true content: application/json: schema: type: object required: - changes properties: changes: type: array minItems: 1 items: $ref: '#/components/schemas/PermissionChange' conditions: type: array maxItems: 10 items: $ref: '#/components/schemas/RuleCondition' responses: '200': description: Permissions updated content: application/json: schema: type: object '400': description: Validation error or unknown provider content: application/json: schema: $ref: '#/components/schemas/Error' '403': description: Insufficient permissions (requires admin role) content: application/json: schema: $ref: '#/components/schemas/Error' components: parameters: provider: name: provider in: path required: true schema: type: string description: App provider identifier (e.g., `gmail`, `github`, `jira`) schemas: PermissionChange: type: object required: - toolId - permission properties: toolId: type: string minLength: 1 permission: type: string enum: - allow - manual_approval - block RuleCondition: type: object description: >- A condition that must match for the rule to apply. Conditions inspect the request body to enable fine-grained filtering beyond host/path/method. required: - target - operator - value properties: target: type: string enum: - body description: What part of the request to inspect. operator: type: string enum: - contains description: How to match the value against the target. value: type: string minLength: 1 maxLength: 1000 description: The string to match against. key: type: string maxLength: 500 description: Optional JSON key path within the body to scope the match. Error: type: object properties: error: type: string required: - error securitySchemes: bearerAuth: type: http scheme: bearer description: API key obtained from the dashboard or `GET /user/api-key` ````