Roles and permission between API and application

Hi, I'm going to create An inventory system, is fully API using laravel. And the application can be any form of languages connect using my API. When we talk about inventory system it can be rather complicated, so I need to have roles and permission control of certain roles can do this and that but some roles cannot, or attach permission directly on user what they are allowed to do. I know there is many like sentry or entrust that can do this, but my question is, the role and permission is suppose to do in API level or the application level? What is the standard practice for a completely seperated of API and application system like this?

Thanks in advanced