+1I have looked but not found documentation on who can use API’s. I have a function that wants to pull reporting on a few select courses via API. I want to make sure if I create a profile and permission it for reporting and the appropriate course/user resources that they will not be able to perform any other API calls sucesfully, only the ‘GET’s’ related to the report they are executing. That I don’t need to provide superadmin role.
Bonus points if you can share the knowledge document link 😀
TIA!
If you use the Owner Password grant in the API they are essentially just logging-in as themselves and will be limited based on their Power User profile and assigned resources.
EDIT - Forgot to include the link to the Developer Portal. It’s super helpful - https://developer.docebo.com/docs/apis-authentication
+1Before diving into the custom API setup, have you looked at scheduling a custom report to an SFTP server, or using Docebo Connect to push the data to your endpoint? Having Docebo automatically push the reporting data out is often much more reliable than maintaining an external script to pull it, and it might get you there without any custom integration work at all.
That said, if your function strictly requires pulling via the API, your logic is spot on: you absolutely do not need to provide Superadmin access. Docebo's API inherently respects the role-based access control (RBAC) of the authenticated user.
If you authenticate the API call using a Power User's credentials (typically using the Resource Owner Password Credentials grant), the resulting token is strictly bound to that user's profile and resource limits.
If the profile only grants reporting permissions, any POST, PUT, or DELETE requests your function attempts will simply fail with a 403 Forbidden error.
Because their profile is restricted to specific courses and users, their GET calls will only return data associated with those exact resources.
In organizations I've worked with, this is the exact pattern we use for external dashboards and BI tool integrations. Instead of generating a Superadmin token (which is a massive security risk for read-only tasks), we create a dedicated "Service Account" Power User. We lock its permissions down to a reporting-only profile and assign it only the necessary branches or catalogs. It holds up incredibly well and keeps InfoSec teams very happy.
Just keep in mind that a Superadmin will still need to be the one to generate the initial OAuth2 Client ID and Secret in the API and SSO menu, but your external function will authenticate using the Power User's username and password.
For the bonus points, this limitation is explicitly called out in the Developer Portal documentation here: Send your first requests using the API browser – Docebo Developer Portal (Check the "Method 2" section, which notes: "Irrespective of how you authenticate, the actions you can perform via the API browser will be constrained by the permissions of your platform account. If you are a Power User, you may not be able to make certain calls or access certain resources.")
Enter your email address or username and password below to log in to Docebo Community. No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
