Correct understanding of Org permission and API permission?

[IRediTOTO]

I have created an Org template in Logto.io
I have created 2 org roles: ADMIN, USER
There are 2 org permissions: category:read, category:edit
I have created an API resource with id: http://localhost:3001 with permissions: manage:all

I wonder if I really need API resource when I already have org template?
For example, when a user calls api: /category/edit, the permission category:edit is required
isn't that enough? What do I need API permission for?

[xiaoyijun]

Hi @IRediTOTO , the API permission is another mechanism to protect your API resource. You can use API resource & API permission to handle organization-agnostic API requests.

You can refer to this tutorial to see the usage of API resource and organization token.
API Resource & permission: https://blog.logto.io/build-multi-tenant-saas-application#implement-self-serve-organization-creation-experience
Organization token: https://blog.logto.io/build-multi-tenant-saas-application#implement-access-control-to-your-multi-tenant-app