Permissions Guide
Ticketo uses a layered permission system combining Discord's native permissions, bot-specific privilege levels, and per-category role settings.
Privilege Levels
Every user in a server is assigned a privilege level from -1 to 4:
4
Operator (Super)
Bot operators defined in the SUPER environment variable
3
Guild Owner
The server owner
2
Guild Admin
Members with the Manage Server Discord permission
1
Guild Staff
Members with a configured support role
0
Guild Member
Regular server members
-1
None
Not a member of the server
Privilege levels are hierarchical — a higher level includes all lower-level access.
How Staff Is Determined
The isStaff() check follows this logic:
Super operators — Always staff (defined via
SUPERenv var)Manage Server — Anyone with the Discord
ManageGuildpermission is automatically staffSupport roles — Anyone with a role listed in the server's support roles setting is staff
Support roles are configured in the dashboard under Settings → Support Roles and are cached in Redis for performance.
Required Discord Permissions
When inviting the bot, these Discord permissions are required for full functionality:
Manage Channels
Create, edit, and delete ticket channels
Manage Roles
Set per-channel permission overwrites
Manage Threads
Create and manage ticket threads
Send Messages
Send messages in channels and tickets
Embed Links
Send rich embeds (panels, ticket info)
Attach Files
Send transcript files
Read Message History
Archive messages for transcripts
Use External Emojis
Display priority and status emojis
Add Reactions
React to messages for interactions
View Channels
Access server channels
Create Private Threads
Create private staff discussion threads
Per-Category Role Settings
Each ticket category (panel) can have its own role-based access controls:
Support Roles (Staff Roles)
Each category can override the global support roles. Staff roles configured at the category level determine which staff can see and manage tickets in that category.
Required Roles
Each panel option can have required roles — users must have at least one of these roles to create a ticket of that type. If a user without the required role tries to create a ticket, they are denied.
Allowed Roles (Custom Commands)
Custom slash commands registered through the dashboard can have allowed roles — only members with those roles can use the command.
Ticket-Level Permissions
Who Can See a Ticket
When a ticket channel is created, permission overwrites are set so that only the following can see it:
The ticket creator
Members with support roles for that category
The bot itself
Anyone explicitly added via
/add
Who Can Close a Ticket
The ticket creator
Staff members (privilege level 1+)
If
closeRequiresSupportRoleis enabled, only members with a support role can close — the ticket creator cannot close their own ticket
Who Can Claim a Ticket
Any staff member (privilege level 1+)
If claiming is enabled in the category settings
Who Can Use Staff Commands
The following commands require staff (privilege level 1+):
/claim
Staff
/release
Staff
/priority
Staff
/thread
Staff
/transcript
Staff
/tickets (for others)
Staff
Who Can Use Admin Commands
/panel
Manage Server permission
Blocklist
Server admins can blocklist specific users from creating tickets. Blocklisted users cannot open new tickets in the server. This is configured through the dashboard.
API & Dashboard Permissions
Dashboard Access
The web dashboard uses Discord OAuth2 for authentication. Access levels in the dashboard:
Server Admin (Manage Server)
Full dashboard access for that server
Support Role Staff
Limited access (Needs verification — exact dashboard permissions for non-admin staff not fully confirmed)
Regular Members
No dashboard access
API Authentication
The API uses JWT tokens for authentication. Key middleware decorators:
authenticate
Valid JWT token (logged-in user)
isMember
User is a member of the target guild
isAdmin
User has Manage Server permission in the target guild
Admin-level API routes (guild settings, category management) require the isAdmin check. Member-level routes (viewing own tickets) require isMember.
Super Operators
Super operators have the highest privilege level (4) and bypass all permission checks. They are defined by Discord user IDs in the SUPER environment variable:
Super operators can:
Access all tickets in any server
Bypass all staff checks
Access admin API routes for any server
Security Note: Only add trusted bot operators to the
SUPERlist. These users have unrestricted access across all servers the bot is in.
Summary
Last updated