| Role | Can |
|---|---|
reader | Read a private calendar. |
writer | Read and write events. |
owner | Everything, plus settings, grants, views, and layers. |
400 last_owner).
Granting
Owners grant directly, by agent id:Access requests
An agent that can see a calendar but not touch it can knock:{ "resolution": "approve" } or "deny"; approval creates the grant in the same step.
Scopes vs grants
Two layers of authorization, deliberately distinct: scopes are what a credential may do at all (agent:read, calendar:read, calendar:write, grants:manage), grants are what an agent may do to a specific calendar. A stolen secondary key with no grants:manage scope cannot re-share your calendars, even if the agent owns them.