> ## Documentation Index > Fetch the complete documentation index at: https://docs.omni.co/llms.txt > Use this file to discover all available pages before exploring further. # Get current identity and permissions > Returns the authenticated caller's own identity, API key scope, organization role, and resolved per-model permissions. Self-scoped and available to non-admins: it lets a caller decide whether an action is permitted without attempting it. Pass `modelId` to scope `rolesByModel` to specific models. ## OpenAPI ````yaml /api/openapi.yaml get /v1/whoami openapi: 3.1.0 info: title: Omni API description: > The Omni REST API provides programmatic access to your Omni instance for managing users, documents, queries, schedules, and more. version: 1.0.0 contact: name: Omni Support url: https://docs.omni.co servers: - url: https://{instance}.omniapp.co/api description: Production variables: instance: default: blobsrus description: Your production Omni instance subdomain - url: https://{instance}.playground.exploreomni.dev/api description: Playground variables: instance: default: blobsrus description: Your playground Omni instance subdomain security: - bearerAuth: [] - orgApiKey: [] tags: - name: Who Am I description: Inspect your own user permissions - name: AI description: AI-powered query generation - name: AI Credit Controls description: Manage organization-level AI credit usage - name: AI Eval description: >- AI evaluation: manage prompt sets and runs used to score AI quality against curated prompt suites. - name: AI Model Suggestions description: Manage AI-generated suggestions for shared models - name: AI Routines description: >- Manage AI Routines: schedule recurring AI-powered tasks to run automatically on your data. - name: Documents v2 description: > A draft-based workflow for creating and editing documents: create a document, patch a draft, then publish. Replaces the one-shot `PUT`/`PATCH` v1 document write endpoints. - name: Documents description: Create, retrieve, and manage documents - name: API Tokens description: >- Manage API tokens (Organization keys, Personal Access Tokens, MCP OAuth grants) - name: Connections description: Manage database connections - name: Connection environments description: Manage connection environments database connections - name: Content description: Unified content retrieval (documents and folders) - name: Content migration description: Export and import dashboards - name: Content validator description: Validate content against models and perform find/replace operations - name: Dashboard downloads description: Download dashboards and tiles as PDF, PNG, XLSX, CSV, or JSON files - name: Dashboard filters and controls description: Read and update dashboard filter and control default values - name: dbt description: Manage dbt configuration for connections - name: Document favorites description: Favorite and unfavorite documents - name: Document labels description: Apply and manage labels on documents - name: Document permissions description: Manage document-level access - name: Labels description: > Manage labels in an organization. Labels can be applied to documents and folders to help organize and categorize content. **Label types:** - **Basic labels**: Can be created and managed by any user - **Verified labels**: Indicate curated or officially sanctioned content. Admin-only. - **Homepage labels**: Appear on the organization homepage. Admin-only. - name: Folders description: Create and organize content folders - name: Folder permissions description: Manage folder-level access - name: Jobs description: Check status of asynchronous jobs - name: Models description: Create and manage data models - name: Model branches description: Manage model branches and merge changes - name: Model git configuration description: Manage git configuration for shared models - name: Queries description: Execute workbook queries - name: Schedules description: Create and manage scheduled tasks - name: Schedule recipients description: Manage schedule recipients - name: Schema refresh schedules description: Manage automated schema refresh schedules for connections - name: Topics description: Retrieve topic information from models - name: Uploads description: Manage file uploads - name: Users description: Manage users - name: User attributes description: Manage user attribute definitions - name: User groups description: Manage user groups - name: User model roles description: Manage model and connection role assignments for users - name: User group model roles description: Manage model and connection role assignments for user groups - name: Uploads description: Manage CSV and spreadsheet uploads paths: /v1/whoami: get: tags: - Who Am I summary: Get current identity and permissions description: > Returns the authenticated caller's own identity, API key scope, organization role, and resolved per-model permissions. Self-scoped and available to non-admins: it lets a caller decide whether an action is permitted without attempting it. Pass `modelId` to scope `rolesByModel` to specific models. operationId: whoami parameters: - name: modelId in: query schema: type: string example: 550e8400-e29b-41d4-a716-446655440000 required: false description: > Optional model filter. A single model ID or a comma-separated list. When provided, `rolesByModel` in the response will contain only these models. When omitted, models the caller can access are returned up to a limit; see `rolesByModelTruncated`. responses: '200': description: Caller's identity, key scope, org role, and per-model permissions content: application/json: schema: type: object required: - keyScope - orgRole - rolesByModel - user properties: keyScope: type: string enum: - user - organization description: > Scope of the API key in use. - `user` - Personal Access Token. This is a user-scoped key (PAT/OAuth) that acts as a single user and cannot use SCIM, regardless of the user's organization role. - `organization` - Organization API key orgRole: type: string enum: - MEMBER - ORG_ADMIN description: The caller's organization role. example: MEMBER rolesByModel: type: object additionalProperties: $ref: '#/components/schemas/WhoamiModelRole' description: >- Resolved role and effective permissions per model, keyed by model ID. Connection role resolves per shared model, so this is per-model rather than a single global role. rolesByModelTruncated: type: boolean description: >- Present and `true` when `rolesByModel` was truncated because the caller can access more models than the unfiltered limit. Pass a `modelId` filter to retrieve specific models. user: $ref: '#/components/schemas/WhoamiUser' '401': description: Authentication required content: application/json: schema: $ref: '#/components/schemas/ApiError401' '404': description: >- One or more requested `modelId`s do not exist or are not accessible to the caller content: application/json: schema: $ref: '#/components/schemas/ApiError403' components: schemas: WhoamiModelRole: type: object required: - baseRole - connectionId - permissions - roleName properties: baseRole: type: string description: The resolved base role. For custom roles, the base role they extend. example: QUERIER connectionId: type: string description: The connection this model belongs to permissions: type: array items: type: string enum: - QUERY_FULL_MODEL - QUERY_SQL - VIEW_SQL - QUERY_TOPICS - RUN_CONTENT_QUERIES - DOWNLOAD_CONTENT_QUERY - UPLOAD_CSV - SCHEDULE - SAVE_SPREADSHEETS - USE_AI - USE_WORKBOOKS - UPDATE - UPDATE_RESTRICTED description: > The caller''s resolved/effective permissions on this model, reflecting custom roles. This is a capability signal for the directly-roleable model kinds (schema / shared / extension). It does not enumerate the permissions you derive on branch, workbook, and query models from your role on the base model they descend from - bsence here does not mean you lack access on those derived models.`MANAGE_MODEL`, `READ`, and `REFRESH_SCHEMA` are also not reported: they derive from connection / sibling-model roles rather than a per-model rule. example: - QUERY_TOPICS - QUERY_SQL - USE_WORKBOOKS roleName: type: string description: >- The resolved role name; may be a custom role. Use `permissions` to decide capability. example: QUERIER WhoamiUser: type: object required: - id - membershipId properties: id: type: string description: The caller's user ID membershipId: type: string description: >- The caller's own membership ID within this organization. This is the ID accepted by the [Get model roles endpoint](/api/user-model-roles/retrieve-user-model-roles) and is distinct from the user ID. ApiError401: type: object properties: detail: type: string description: Human-readable error message describing what went wrong. example: 'Unauthorized: Missing or invalid API key' status: type: integer description: HTTP status code of the error. example: 401 required: - detail - status ApiError403: type: object properties: detail: type: string description: Human-readable error message describing what went wrong. example: 'Forbidden: AI query generation is not enabled for this organization' status: type: integer description: HTTP status code of the error. example: 403 required: - detail - status securitySchemes: bearerAuth: type: http scheme: bearer bearerFormat: JWT description: > Can be either an [Organization API Key](/api/authentication#organization-api-keys) or [Personal Access Token (PAT)](/api/authentication#personal-access-tokens-pat). Include in the `Authorization` header as: `Bearer YOUR_TOKEN` orgApiKey: type: http scheme: bearer bearerFormat: JWT description: > Requires an [Organization API Key](/api/authentication#organization-api-keys). Personal Access Tokens (PATs) are not supported for this endpoint. Include in the `Authorization` header as: `Bearer ORGANIZATION_API_KEY` ````