Read one configuration value
Resolves one non-secret configuration value by its full slash path
(<section>/<group>/<field>), inheritance-aware along
Global → Organization → Workspace.
The optional scope selector picks where in the chain to resolve. The
scope-access policy is evaluated against the authenticated user,
never against request input: a non-superadmin may only read their own
workspace scope (tenant:<own-uuid>, also the default when scope is
omitted); a superadmin may target any scope (default global).
An unknown path, a field not declared api_readable, a secret field,
and a section the caller may not view all return the same
404 not_found.
Authorizations
Scoped personal access token (cfp_…), validated by the stateless
mcp and api_v2 firewalls. The effective permission is the
intersection of the user's ACL, the token's scopes, and tenant
isolation. The MCP gateway requires the matching mcp:* tool scope;
the /api/v2/* surface (including the Config read API) additionally
requires the api:full scope and an admin owner.
Path Parameters
Full slash path of the field, e.g. general/identity/site_name.
Query Parameters
Scope selector: global, organization:<uuid>, or
tenant:<uuid>. Defaults to the caller's own workspace scope
(superadmins: global).
Response
The resolved value. Cache-Control: no-store.
"general/identity/site_name"
"string"
The resolved, typed, JSON-encodable value. Feature flags return
their state object (enabled, rolloutPercent, audience,
enabledFor); null when no value is set at any scope and no
schema default applies.
True when an effective value exists (value is not null).
Scope key the winning override lives at (global,
organization:<uuid>, tenant:<uuid>), or null when the value
is the schema default.