Set Up Roles via API
Checklist for granting ATK system roles and token roles before issuing assets
This guide shows how to get the permission required by the ATK API. Inside you’ll find:
- A complete catalog of system, token, and add-on roles with one-line descriptions of when they matter.
- The exact methods (
client.system.accessManager.grantRole,client.token.grantRole, add-on grant routes) plus request shapes for single or multi-role assignments. - A minimal workflow (sign in → inspect current roles → grant → verify) you can reuse before running any issuance, collateral, compliance, or add-on automation.
Role types you need to know
System roles — grant with client.system.accessManager.grantRole
These live on the Access Manager contract and control every platform-wide capability. The endpoint accepts one role per call, so run it once for each role you need on a given wallet.
| Role | What it controls | When to grant it |
|---|---|---|
admin | Root authority that can grant or revoke every other system role. | Keep on the platform ops account; required before you can delegate the rest. |
systemManager | Core system configuration (upgrades, registering factories/modules). | Rarely granted to EOAs; only to the ops team running the deployment. |
identityManager | Identity registry maintenance (register/recover identities, onboarding). | Needed by compliance/onboarding teams managing identities outside the UI. |
tokenManager | Token factory calls such as /api/token/create. | Every wallet that deploys assets needs this regardless of asset class. |
complianceManager | Global compliance module setup, bypass lists, enforcement toggles. | Use when configuring custom compliance flows or allowlists. |
addonManager | Registering and configuring add-on factories; also unlocks the Addons sidebar without needing admin. | Needed when rolling out optional protocol extensions (token sale, yields, etc.). |
claimPolicyManager | Trusted issuer + claim topic management via /api/system/trusted-issuers. | Required for any workflow that checks collateral/KYC claims before minting. |
claimIssuer | Permission to create claims on identities (trust decided separately). | Grant to auditors or service providers that issue attestations. |
organisationIdentityManager | Organisation-level claim management (KYC/AML/licenses). | Use for corporate ops that maintain entity credentials. |
auditor | Read-only access to permissions, identities, and audit state. | Assign to internal/external auditors that need visibility without write access. |
systemModule | Lets a module contract manage other system components. | Granted to module contracts themselves during deployment. |
identityRegistryModule | Administrative control of the identity registry module. | Granted to module contracts or tooling that automate registry tasks. |
tokenFactoryRegistryModule | Manages token factory registries. | Usually assigned to module contracts, not EOAs. |
tokenFactoryModule | Direct control over token factory modules. | Needed by automation or module contracts deploying assets. |
addonRegistryModule | Controls the add-on registry module. | Given to registry automation or governance contracts. |
addonModule | Lets an add-on module register instances. | Granted to the add-on module contracts themselves. |
trustedIssuersMetaRegistryModule | Manages the trusted issuer meta-registry. | Assigned to system automation that syncs issuer lists across modules. |
Need to grant several system roles to the same wallet? Call
grantRolesonce per role.
Token & asset roles — grant with client.token.grantRole
Once a token contract exists, you can grant multiple contract roles in a single request by listing them in the roles array.
| Role | What it controls | When to grant it |
|---|---|---|
governance | Token policy, verification, and compliance settings. | Assign to the team that tunes compliance modules or governance parameters. |
supplyManagement | Mint/burn permissions via /api/token/{contract}/mint. | Required for every operator that issues, redeems, or retires supply. |
custodian | Freezes, forced transfers, and asset recovery. | Grant to custody/operations teams responsible for interventions. |
emergency | Pause/unpause and ERC20 recovery actions. | Needed for the team that handles incident response or post-deploy unpausing. |
Add-on roles — grant through each add-on’s endpoint
Add-on contracts (e.g., the token sale module) expose their own AccessControl roles. Factories usually grant the initial operator automatically, but you can add more operators through the add-on’s dedicated grant-role endpoint (see that add-on’s API reference for the exact route).
| Role | Contract scope | When to grant it |
|---|---|---|
saleAdmin | Configures and operates a token sale (pricing, limits, lifecycle). | Give to the primary issuance lead for each sale contract. |
fundsManager | Withdraws proceeds collected by a token sale add-on. | Assign to treasury/custody wallets that sweep sale revenue. |
How to combine them
- Make sure someone on your team has the
adminrole so they can perform the system-level grants. - Every wallet that deploys assets must receive
tokenManager. - If the asset type requires collateral claims or other trusted-issuer checks, grant
claimPolicyManagerand finish the trusted-issuer registration (Step 3). - After deployment, each contract you plan to mint from must grant
supplyManagement(for issuance) andemergency(for unpausing or operational recovery). - If the role already exists on your wallet, the grant endpoint will simply return success without duplicates, so it is safe to re-run during audits.
Prerequisites
- Platform base URL (e.g.,
https://your-platform.example.com) - ATK account with PINCODE enabled (
Account Settings → Security) adminsystem role so you are allowed to grant other roles (or an administrator who can run the system-level grant calls for you)
Step 0: Initialize Client and capture your wallet
Initialize the ORPC client and fetch your wallet address.
Step 1: Check your current system roles
- The
rolesarray should list every system role you expect from the table above.
Step 2: Grant system roles
Replace:
role: Any value from the system table above (tokenManager,claimPolicyManager,auditor, etc.)
Only
adminusers can call this endpoint. If you are not an admin, ask someone who is to run the command for your wallet address.
Step 3: Register identity (REQUIRED before minting)
CRITICAL: You must register an identity before you can receive tokens. This is required by the ERC-3643 standard for compliant security tokens.
Parameters:
wallet: Your wallet address (from Step 0)country: ISO 3166-1 alpha-2 country code (e.g., "BE" for Belgium, "US" for USA, "GB" for UK)
What this does:
- Checks if an identity contract exists for your wallet
- If identity exists but isn't registered, registers it with a country/jurisdiction
- If no identity exists, creates an on-chain identity contract and registers it
- Enables you to receive compliant tokens
Note: The script handles all cases: if you already have an identity and it's registered, it skips both steps. If you have an identity but it's not registered, it will register it. If you don't have an identity, it creates and registers it.
Step 4: Register as a trusted issuer
Skip this section if you don't need to issue claims (e.g., KYC, AML, collateral, accredited investor status) for identities in the system.
What this does:
- Registers you as a trusted issuer authorized to issue claims for specific topics
- Allows you to create claims on identities using
client.system.identity.claim.create - Required for any workflow that needs claim attestations (compliance verification, collateral management, investor classification, etc.)
Parameters:
issuerAddress: Your identity contract address (from Step 3)claimTopicIds: Array of topic IDs you want to issue claims for (get available topics usingclient.system.claimTopics.topicList)
Note: This registration call requires the claimPolicyManager role from Step 2 and identity from Step 3. Only needs to be done once per issuer/topic combination.
Step 5: Grant token-level roles
Once a token contract is created, give yourself both minting and unpausing permissions in a single request:
Notes:
- To add more token powers (e.g.,
governance,custodian), include them in the"roles"array from the token table above. - You can grant roles to multiple operators by changing
"address". supplyManagementunlocks/mint, whileemergencyunlocks/unpause.
Step 6: Verify everything at a glance
- System roles: rerun the Step 1
client.system.accessManager.rolesListcall and confirm therolesarray includes the values you granted. - Identity: call
client.system.identity.me({})to verify your identity exists - Token roles: call
client.token.holders(or check token details) and confirm theaccessControl.supplyManagementandaccessControl.emergencyarrays contain your wallet address, or simply retry thegrantRolecall—if you already have the roles, the response will note no change.
Using the API
Build DALP lifecycle operations with type-safe ORPC procedures. This guide shows how to implement vault operations, DvP settlements, and yield claims through composable API patterns that connect React components to blockchain contracts and database state.
API reference
Interactive ORPC API documentation with live testing capabilities. Explore type-safe procedures for token lifecycle, DALP operations, compliance enforcement, and identity management.