Storyblok uses a space-based collaboration model where users are invited to individual spaces with assigned roles. The platform offers both built-in roles and a custom role system that can restrict access down to specific folders, components, and content stages. API tokens are managed separately with their own access levels, giving precise control over programmatic content delivery.
Permission model
Storyblok's access control operates at three levels:
- Organization -- the top-level account that owns one or more spaces. Organization admins manage billing, SSO, and member access across all spaces.
- Space roles -- each collaborator in a space gets a role that controls what they can do. Built-in roles have fixed permissions; custom roles allow granular configuration.
- Custom role permissions -- on Team and Enterprise plans, custom roles can restrict access by: specific folders (and their children), allowed components, content stages (draft/published), and specific features (publishing, asset management, activity log).
Permissions are additive within a role definition but there is no multi-role assignment -- each user gets exactly one role per space.
Built-in roles
| Role | Permissions | Plan |
|---|---|---|
| Owner | Full space control: billing, settings, members, all content operations, API tokens | All |
| Admin | All content operations, manage members, manage components and datasources, configure space settings. No billing. | All |
| Editor | Create, edit, publish, delete stories. Manage assets. No settings or member management. | All |
| Custom roles | Configurable: restrict to folders, components, stages, features | Team+ |
Custom roles are created at Settings > Roles and can specify:
- Allowed paths -- restrict to specific folders (e.g.,
/blog/,/en/products/) - Component whitelist -- only allow editing of specific component types
- Content stage access -- allow editing drafts only (no publishing), or full publish rights
- Feature toggles -- enable/disable access to: Assets, Datasources, Activity Log, Releases, Pipelines
Admin UI paths
| Task | Location |
|---|---|
| Manage space members | Settings > Members |
| Invite collaborators | Settings > Members > Invite |
| Change member role | Settings > Members > [User] > Edit role |
| Create custom roles | Settings > Roles > New Role |
| Manage API tokens | Settings > Access Tokens |
| Organization management | Organization Dashboard (app.storyblok.com > Organization) |
| SSO configuration | Organization > SSO (Enterprise) |
| Activity Log | Sidebar > Activity Log |
| Component management | Block Library (sidebar) |
API access management
Content Delivery API (CDN):
- Read-only REST API at
https://api.storyblok.com/v2/cdn/ - Access tokens created at Settings > Access Tokens
- Token types: Public (published content only) or Preview (draft + published)
- Pass as
tokenquery parameter orAuthorizationheader - Tokens are space-scoped; one token accesses all stories in the space
Management API:
- Full CRUD API at
https://mapi.storyblok.com/v1/spaces/{space_id}/ - Requires a Personal Access Token (PAT) created in user account settings, or an OAuth token
- PATs inherit the user's role permissions across all spaces they belong to
- Used for CI/CD pipelines, content migration, and automation
Webhooks:
- Configured at Settings > Webhooks
- Trigger on story publish/unpublish/move/delete events
- Include a webhook secret for signature verification
- Each webhook can be filtered by story-level events
OAuth2 Apps:
- Storyblok supports OAuth2 app authentication for custom extensions
- Apps request specific scopes during installation
- Tokens are space-scoped with permissions matching the installing user's role
Analytics-specific permissions
Storyblok is a headless CMS, so analytics implementation happens in the consuming frontend. Storyblok's role in analytics governance:
- Field-level analytics configuration -- if you use Storyblok fields to store tracking IDs (GA Measurement ID, GTM container ID), any Editor can modify them. Use custom roles to restrict the component containing analytics fields to specific users.
- Custom field type plugins -- Storyblok field plugins can embed analytics dashboards or configuration UIs. Access follows the component-level permissions of the containing block.
- Activity Log -- tracks all content changes including who published what and when. Accessible to Admins and users with Activity Log feature enabled in their custom role. Use this to audit who changed analytics-related content.
- Releases -- scheduled content releases can include analytics configuration changes. Release Manager capability requires Admin role or a custom role with Releases feature enabled.
- API tokens for analytics pipelines -- create a dedicated Public or Preview token for your analytics service to query content metadata. Label it clearly (e.g., "Analytics Pipeline - Read Only").
- Storyblok Analytics (Insights) -- on Business+ plans, Storyblok provides content performance insights directly in the editor. Access is available to all space members; it cannot be restricted per role.
For analytics-only access, create a custom role with:
- Allowed paths: only folders containing analytics configuration content
- Component whitelist: only analytics-related components
- No publishing permission (draft-only access to suggest changes)
- Activity Log enabled for audit trail access
Sub-pages
- Roles and Permissions -- custom role configuration, folder and component restrictions, and content stage permissions
- Adding and Removing Users -- inviting collaborators, managing access tokens, and offboarding from spaces