You are reading the 3.x docs, an older version.
Read the 5.x docs .
Scopes define what an agent key is allowed to do. Every agent endpoint checks the request's key for the required scope before executing. If the key lacks the required scope, the request is rejected with a 403 error.
How Scopes Work
Each key carries an array of scopes assigned at creation. When a request hits an endpoint:
Controller checks which scope(s) the endpoint requires
The key's scopes are compared against the requirement
If any required scope matches, access is granted (OR-logic)
If no scope matches, a 403 AUTH_INSUFFICIENT_SCOPE error is returned
Available Scopes
Read Scope
Scope
What It Allows
read
Read access to all resources (clubs, cards, members, rewards, etc.)
The read scope is a global read permission. Any key with read can call any GET endpoint.
Write Scopes
Scope
What It Allows
write:clubs
Create, update, and delete clubs
write:cards
Create, update, and delete loyalty cards
write:rewards
Create, update, and delete rewards
write:transactions
Record purchases and redeem rewards
write:stamps
Create, update, and delete stamp cards; add stamps; redeem stamp rewards
write:vouchers
Create, update, and delete vouchers; validate and redeem voucher codes
write:tiers
Create, update, and delete membership tiers
write:staff
Create, update, and delete staff members
Write scopes are resource-specific . A key with write:transactions can record purchases but cannot create clubs.
Member Write Scopes
Member keys use a separate set of write scopes:
Scope
What It Allows
write:profile
Update own profile (name, locale)
write:redeem
Submit reward claim requests
Member write scopes are self-scoped — they only affect the key owner's data.
Super Scope
Scope
What It Allows
admin
Full access — all read and write operations
The admin scope bypasses all scope checks. Use it for keys that need unrestricted access.
Admin Scopes
Admin keys have platform-level scopes:
Scope
What It Allows
read:partners
View all partner profiles and permissions
write:partners
Update partner permissions, activate/deactivate partners
read:members
Platform-wide member search and details
read:analytics
Platform and per-partner analytics metrics
Scope Hierarchy
Scopes follow a logical hierarchy:
graph LR
A["admin"] -->|"grants everything"| B["read"]
A --> C["write:*"]
C --> D["write:clubs"]
C --> E["write:cards"]
C --> F["write:rewards"]
C --> G["write:transactions"]
C --> H["write:stamps"]
C --> I["write:vouchers"]
C --> J["write:tiers"]
C --> K["write:staff"]
style A fill:#fef3c7,stroke:#f59e0b,stroke-width:2px,color:#92400e
Important behaviors:
Write implies read on that resource — A key with write:cards can call GET /partner/cards, but cannot read members or other resources
Admin grants all — The admin scope acts as a super-scope for everything
Read cannot write — A read-only key cannot create, update, or delete anything
Write scopes are isolated — write:clubs cannot read rewards, write:transactions cannot read staff
Permission Presets
When creating a key in the dashboard, you choose from presets that map to scope arrays:
Preset
Scopes
Best For
View Only
read
Reporting dashboards, balance checks, AI queries
Point of Sale
read, write:transactions, write:rewards
Point-of-sale systems (earn, burn, and rewards)
Full Management
read, write:cards, write:rewards, write:stamps, write:vouchers, write:clubs
Automation tools, general integrations
Full Access
admin
Full programmatic control, development
Member Presets
Member keys have simpler presets:
Preset
Scopes
Best For
View Only
read
Balance checks, browsing rewards, transaction history
Full Access
read, write:redeem, write:profile
Full wallet: claims + profile updates + save cards
Admin Presets
Admin keys manage the platform:
Preset
Scopes
Best For
View Only
read:partners, read:members, read:analytics
Monitoring dashboards, CRM exports
Standard
read:partners, read:members, read:analytics, write:partners
SaaS billing integration, partner management
Full Access
admin
Full platform control
Endpoint Scope Requirements
Clubs
Endpoint
Required Scope
GET /partner/clubs
read or write:clubs
GET /partner/clubs/{id}
read or write:clubs
POST /partner/clubs
write:clubs
PUT /partner/clubs/{id}
write:clubs
DELETE /partner/clubs/{id}
write:clubs
Loyalty Cards
Endpoint
Required Scope
GET /partner/cards
read or write:cards
GET /partner/cards/{id}
read or write:cards
POST /partner/cards
write:cards
PUT /partner/cards/{id}
write:cards
DELETE /partner/cards/{id}
write:cards
Rewards
Endpoint
Required Scope
GET /partner/rewards
read or write:rewards
GET /partner/rewards/{id}
read or write:rewards
POST /partner/rewards
write:rewards
PUT /partner/rewards/{id}
write:rewards
DELETE /partner/rewards/{id}
write:rewards
Transactions
Endpoint
Required Scope
GET /partner/transactions
read or write:transactions
POST /partner/transactions/purchase
write:transactions
POST /partner/transactions/redeem
write:rewards
Members
Endpoint
Required Scope
GET /partner/members
read
GET /partner/members/{id}
read
GET /partner/members/{id}/balance/{cardId}
read
Stamp Cards
Endpoint
Required Scope
GET /partner/stamp-cards
read or write:stamps
GET /partner/stamp-cards/{id}
read or write:stamps
POST /partner/stamp-cards
write:stamps
PUT /partner/stamp-cards/{id}
write:stamps
DELETE /partner/stamp-cards/{id}
write:stamps
POST /partner/stamp-cards/{id}/stamps
write:stamps
POST /partner/stamp-cards/{id}/redeem
write:stamps
Vouchers
Endpoint
Required Scope
GET /partner/vouchers
read or write:vouchers
GET /partner/vouchers/{id}
read or write:vouchers
POST /partner/vouchers
write:vouchers
PUT /partner/vouchers/{id}
write:vouchers
DELETE /partner/vouchers/{id}
write:vouchers
POST /partner/vouchers/validate
write:vouchers
POST /partner/vouchers/{id}/redeem
write:vouchers
Tiers
Endpoint
Required Scope
GET /partner/tiers
read or write:tiers
GET /partner/tiers/{id}
read or write:tiers
POST /partner/tiers
write:tiers
PUT /partner/tiers/{id}
write:tiers
DELETE /partner/tiers/{id}
write:tiers
Staff
Endpoint
Required Scope
GET /partner/staff
read or write:staff
GET /partner/staff/{id}
read or write:staff
POST /partner/staff
write:staff
PUT /partner/staff/{id}
write:staff
DELETE /partner/staff/{id}
write:staff
Member Profile
Endpoint
Required Scope
GET /member/profile
read
PUT /member/profile
write:profile
Member Balance & Cards
Endpoint
Required Scope
GET /member/balance
read
GET /member/cards
read
GET /member/cards/{id}
read
Member Transactions
Endpoint
Required Scope
GET /member/transactions
read
GET /member/transactions/{cardId}
read
Member Rewards
Endpoint
Required Scope
GET /member/rewards
read
POST /member/rewards/{id}/claim
write:redeem
Scope Errors
When a key lacks the required scope:
{
"error": true,
"code": "AUTH_INSUFFICIENT_SCOPE",
"message": "This action requires the 'write:cards' scope.",
"retry_strategy": "no_retry",
"details": {
"required_scope": "write:cards"
}
}
The retry_strategy is no_retry — the key cannot gain scopes dynamically. Create a new key with the required scopes instead.
Admin Partners
Endpoint
Required Scope
GET /admin/partners
read:partners
GET /admin/partners/{id}
read:partners
PATCH /admin/partners/{id}/permissions
write:partners
POST /admin/partners/{id}/activate
write:partners
POST /admin/partners/{id}/deactivate
write:partners
Admin Members
Endpoint
Required Scope
GET /admin/members
read:members
GET /admin/members/{id}
read:members
Admin Analytics
Endpoint
Required Scope
GET /admin/analytics/overview
read:analytics
GET /admin/analytics/partners/{id}
read:analytics