> ## Documentation Index > Fetch the complete documentation index at: https://docs.nxos.io/llms.txt > Use this file to discover all available pages before exploring further. # List authorizations > List authorizations the caller is a party to (either side), newest first. Use `role` to split the two intuitive views: - `role=authorized` — "what customers can I act on?" (broker view). - `role=granter` — "who can act on my behalf?" (customer view). `status` and `type` narrow further; omitting both returns every state including `REVOKED` (kept for audit). Honors `Nxos-On-Behalf-Of` — a broker can list a customer's grants by pointing the header at the customer's org id. Cursor-based pagination via the standard `limit` / `cursor` query params; pass back the previous response's `nextCursor` to advance. ## OpenAPI ````yaml GET /v1/authorizations openapi: 3.0.0 info: title: nxos API version: 1.0.0 contact: name: nxos url: https://nxos.io description: |- The nxos platform API provides programmatic access to accounts, balances, quotes, and trades. All endpoints require API key authentication. servers: - url: https://api.nxos.io description: Production variables: {} - url: https://api.sandbox.nxos.io description: Sandbox variables: {} security: [] tags: - name: Accounts - name: Quotes - name: Beneficiaries - name: Fiat Payouts - name: Crypto Payouts - name: Nxosnet - name: Fees - name: Funding Methods - name: Transactions - name: Organizations - name: Authorizations - name: Webhooks description: >- Register an HTTPS endpoint to receive events (organization verification and transaction status changes) instead of polling. Deliveries are signed; verify the `svix-signature` header before acting on an event. See the [Webhooks guide](https://docs.nxos.io/core-concepts/webhooks) for the delivery format, signature verification, retries, and broker behavior. Payload shapes are documented in the `…Event` models below. paths: /v1/authorizations: get: tags: - Authorizations description: |- List authorizations the caller is a party to (either side), newest first. Use `role` to split the two intuitive views: - `role=authorized` — "what customers can I act on?" (broker view). - `role=granter` — "who can act on my behalf?" (customer view). `status` and `type` narrow further; omitting both returns every state including `REVOKED` (kept for audit). Honors `Nxos-On-Behalf-Of` — a broker can list a customer's grants by pointing the header at the customer's org id. Cursor-based pagination via the standard `limit` / `cursor` query params; pass back the previous response's `nextCursor` to advance. operationId: Authorizations_list parameters: - $ref: '#/components/parameters/ApiKeyAuth' - $ref: '#/components/parameters/PaginationQuery.limit' - $ref: '#/components/parameters/PaginationQuery.cursor' - name: role in: query required: false description: >- Which side of the grant the caller is on. Omit to return both directions. schema: $ref: '#/components/schemas/AuthorizationRole' explode: false - name: status in: query required: false description: >- Filter by lifecycle status. Omit to return all states (including REVOKED). schema: $ref: '#/components/schemas/AuthorizationStatus' explode: false - name: type in: query required: false description: Filter by grant type. Currently only `LOA` exists. schema: $ref: '#/components/schemas/AuthorizationType' explode: false responses: '200': description: The request has succeeded. content: application/json: schema: type: object required: - object - data - hasMore - nextCursor properties: object: type: string enum: - list description: Object type. Always `list` for paginated responses. data: type: array items: $ref: '#/components/schemas/Authorization' description: Array of results. hasMore: type: boolean description: Whether more results are available beyond this page. nextCursor: type: string nullable: true description: >- Cursor to pass as `cursor` query parameter for the next page. Null when there are no more results. description: Paginated list envelope. All list endpoints return this shape. '400': description: The server could not understand the request due to invalid syntax. content: application/json: schema: $ref: '#/components/schemas/Error400' '401': description: Access is unauthorized. content: application/json: schema: $ref: '#/components/schemas/Error401' '403': description: Access is forbidden. content: application/json: schema: $ref: '#/components/schemas/Error403' '429': description: Client error content: application/json: schema: $ref: '#/components/schemas/Error429' '500': description: Server error content: application/json: schema: $ref: '#/components/schemas/Error500' components: parameters: ApiKeyAuth: name: Authorization in: header required: true description: 'Bearer token. Format: `Bearer `' schema: type: string PaginationQuery.limit: name: limit in: query required: false description: Maximum number of items to return. Defaults to 25, max 100. schema: type: integer format: int32 default: 25 explode: false PaginationQuery.cursor: name: cursor in: query required: false description: Cursor for the next page of results, returned in previous responses. schema: type: string explode: false schemas: AuthorizationRole: type: string enum: - granter - authorized description: >- Filter for which side of the grant the caller is on. Omitted = both directions. AuthorizationStatus: type: string enum: - PENDING - ACTIVE - REVOKED description: >- Lifecycle status of an authorization grant. - `PENDING` — Row exists, the granter has not signed yet. The authorized org cannot act on the granter's behalf. - `ACTIVE` — Granter has signed (`signedAt` is set). The authorized org may act on the granter's behalf when the `Nxos-On-Behalf-Of` header is set. - `REVOKED` — Previously active or pending, then revoked by either party. Kept for audit; never reverts to `ACTIVE`. AuthorizationType: type: string enum: - LOA description: >- Type of cross-org authorization. Today the only value is `LOA` (Letter of Authorization), which lets the authorized organization act on the granter's behalf via the platform API when the `Nxos-On-Behalf-Of` header is set. Authorization: type: object required: - object - grantingOrganizationId - authorizedOrganizationId - type - status - signedAt - revokedAt - revokedReason - createdAt - updatedAt properties: object: type: string enum: - authorization description: Object type. Always `authorization`. grantingOrganizationId: type: string description: Organization that granted the authorization (the customer). authorizedOrganizationId: type: string description: >- Organization that received the authorization (the broker / platform). type: allOf: - $ref: '#/components/schemas/AuthorizationType' description: Type of grant. Currently always `LOA`. status: allOf: - $ref: '#/components/schemas/AuthorizationStatus' description: Current status — `PENDING`, `ACTIVE`, or `REVOKED`. signedAt: type: string allOf: - $ref: '#/components/schemas/dateTimeString' nullable: true description: >- ISO 8601 timestamp when the granter signed. `null` when the row is still `PENDING`. revokedAt: type: string allOf: - $ref: '#/components/schemas/dateTimeString' nullable: true description: >- ISO 8601 timestamp when the grant was revoked. `null` until revocation. revokedReason: type: string nullable: true description: >- Optional free-form reason captured at revocation time. `null` when not provided. createdAt: allOf: - $ref: '#/components/schemas/dateTimeString' description: >- ISO 8601 timestamp when the row was first created (usually when the LOA invitation was issued). updatedAt: allOf: - $ref: '#/components/schemas/dateTimeString' description: >- ISO 8601 timestamp of the most recent state change (signing or revocation). description: A cross-org authorization grant between two organizations. example: object: authorization grantingOrganizationId: org_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 authorizedOrganizationId: org_b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5 type: LOA status: REVOKED signedAt: '2025-12-01T10:30:00.000Z' revokedAt: '2026-03-15T14:30:00.000Z' revokedReason: Client off-boarded createdAt: '2025-12-01T10:30:00.000Z' updatedAt: '2026-03-15T14:30:00.000Z' Error400: type: object required: - error properties: error: $ref: '#/components/schemas/ErrorBody' description: Standard error response returned by all endpoints on failure. example: error: code: invalid_request message: The request body is malformed or missing required fields. requestId: req_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 Error401: type: object required: - error properties: error: $ref: '#/components/schemas/ErrorBody' description: Standard error response returned by all endpoints on failure. example: error: code: missing_api_key message: No Authorization header provided. requestId: req_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 Error403: type: object required: - error properties: error: $ref: '#/components/schemas/ErrorBody' description: Standard error response returned by all endpoints on failure. example: error: code: forbidden message: Your organization is not enabled for this action. requestId: req_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 Error429: type: object required: - error properties: error: $ref: '#/components/schemas/ErrorBody' description: Standard error response returned by all endpoints on failure. example: error: code: rate_limited message: 'Rate limit exceeded: 1000 requests per minute. Retry in 23 seconds.' requestId: req_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 Error500: type: object required: - error properties: error: $ref: '#/components/schemas/ErrorBody' description: Standard error response returned by all endpoints on failure. example: error: code: internal_error message: An unexpected server error occurred. requestId: req_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4 dateTimeString: type: string description: ISO 8601 timestamp string. ErrorBody: type: object required: - code - message - requestId properties: code: allOf: - $ref: '#/components/schemas/ErrorCode' description: Machine-readable error code. message: type: string description: Human-readable error message. requestId: type: string description: Unique identifier for this request, useful for debugging. ErrorCode: type: string enum: - missing_api_key - authentication_failed - invalid_api_key - forbidden - not_found - organization_not_found - account_not_found - quote_not_found - beneficiary_not_found - transaction_not_found - funding_method_not_found - authorization_not_found - nxosnet_handle_not_found - quote_expired - quote_already_used - beneficiary_already_archived - beneficiary_not_archived - beneficiary_blocked - nxosnet_not_enabled - nxosnet_handle_taken - chain_send_failed - idempotency_key_in_use - idempotency_request_in_flight - invalid_request - insufficient_funds - validation_error - share_token_invalid - verification_import_unsupported - rate_limited - webhooks_unavailable - internal_error description: All possible error codes returned by the API. ````