Scopes define what an agent key is allowed to do. Every agent endpoint checks the request's key for the required scope before executing. If the key lacks the required scope, the request is rejected with a 403 error.
How Scopes Work
Each key carries an array of scopes assigned at creation. When a request hits an endpoint:
- Controller checks which scope(s) the endpoint requires
- The key's scopes are compared against the requirement
- If any required scope matches, access is granted (OR-logic)
- If no scope matches, a
403 AUTH_INSUFFICIENT_SCOPE error is returned
Available Scopes
Read Scope
| Scope |
What It Allows |
read |
Read access to all resources (clubs, cards, members, rewards, etc.) |
The read scope is a global read permission. Any key with read can call any GET endpoint.
Write Scopes
| Scope |
What It Allows |
write:clubs |
Create, update, and delete clubs |
write:cards |
Create, update, and delete loyalty cards |
write:rewards |
Create, update, and delete rewards |
write:transactions |
Record purchases and redeem rewards |
write:stamps |
Create, update, and delete stamp cards; add stamps; redeem stamp rewards |
write:vouchers |
Create, update, and delete vouchers; validate and redeem voucher codes |
write:tiers |
Create, update, and delete membership tiers |
write:staff |
Create, update, and delete staff members |
Write scopes are resource-specific. A key with write:transactions can record purchases but cannot create clubs.
Member Write Scopes
Member keys use a separate set of write scopes:
| Scope |
What It Allows |
write:profile |
Update own profile (name, locale) |
write:redeem |
Submit reward claim requests |
Member write scopes are self-scoped — they only affect the key owner's data.
Super Scope
| Scope |
What It Allows |
admin |
Full access — all read and write operations |
The admin scope bypasses all scope checks. Use it for keys that need unrestricted access.
Admin Scopes
Admin keys have platform-level scopes:
| Scope |
What It Allows |
read:partners |
View all partner profiles and permissions |
write:partners |
Update partner permissions, activate/deactivate partners |
read:members |
Platform-wide member search and details |
read:analytics |
Platform and per-partner analytics metrics |
Scope Hierarchy
Scopes follow a logical hierarchy:
graph LR
A["admin"] -->|"grants everything"| B["read"]
A --> C["write:*"]
C --> D["write:clubs"]
C --> E["write:cards"]
C --> F["write:rewards"]
C --> G["write:transactions"]
C --> H["write:stamps"]
C --> I["write:vouchers"]
C --> J["write:tiers"]
C --> K["write:staff"]
style A fill:#fef3c7,stroke:#f59e0b,stroke-width:2px,color:#92400e
Important behaviors:
- Write implies read on that resource — A key with
write:cards can call GET /partner/cards, but cannot read members or other resources
- Admin grants all — The
admin scope acts as a super-scope for everything
- Read cannot write — A
read-only key cannot create, update, or delete anything
- Write scopes are isolated —
write:clubs cannot read rewards, write:transactions cannot read staff
Permission Presets
When creating a key in the dashboard, you choose from presets that map to scope arrays:
| Preset |
Scopes |
Best For |
| View Only |
read |
Reporting dashboards, balance checks, AI queries |
| Point of Sale |
read, write:transactions, write:rewards |
Point-of-sale systems (earn, burn, and rewards) |
| Full Management |
read, write:cards, write:rewards, write:stamps, write:vouchers, write:clubs |
Automation tools, general integrations |
| Full Access |
admin |
Full programmatic control, development |
Member Presets
Member keys have simpler presets:
| Preset |
Scopes |
Best For |
| View Only |
read |
Balance checks, browsing rewards, transaction history |
| Full Access |
read, write:redeem, write:profile |
Full wallet: claims + profile updates + save cards |
Admin Presets
Admin keys manage the platform:
| Preset |
Scopes |
Best For |
| View Only |
read:partners, read:members, read:analytics |
Monitoring dashboards, CRM exports |
| Standard |
read:partners, read:members, read:analytics, write:partners |
SaaS billing integration, partner management |
| Full Access |
admin |
Full platform control |
Endpoint Scope Requirements
Clubs
| Endpoint |
Required Scope |
GET /partner/clubs |
read or write:clubs |
GET /partner/clubs/{id} |
read or write:clubs |
POST /partner/clubs |
write:clubs |
PUT /partner/clubs/{id} |
write:clubs |
DELETE /partner/clubs/{id} |
write:clubs |
Loyalty Cards
| Endpoint |
Required Scope |
GET /partner/cards |
read or write:cards |
GET /partner/cards/{id} |
read or write:cards |
POST /partner/cards |
write:cards |
PUT /partner/cards/{id} |
write:cards |
DELETE /partner/cards/{id} |
write:cards |
Rewards
| Endpoint |
Required Scope |
GET /partner/rewards |
read or write:rewards |
GET /partner/rewards/{id} |
read or write:rewards |
POST /partner/rewards |
write:rewards |
PUT /partner/rewards/{id} |
write:rewards |
DELETE /partner/rewards/{id} |
write:rewards |
Transactions
| Endpoint |
Required Scope |
GET /partner/transactions |
read or write:transactions |
POST /partner/transactions/purchase |
write:transactions |
POST /partner/transactions/redeem |
write:rewards |
Members
| Endpoint |
Required Scope |
GET /partner/members |
read |
GET /partner/members/{id} |
read |
GET /partner/members/{id}/balance/{cardId} |
read |
Stamp Cards
| Endpoint |
Required Scope |
GET /partner/stamp-cards |
read or write:stamps |
GET /partner/stamp-cards/{id} |
read or write:stamps |
POST /partner/stamp-cards |
write:stamps |
PUT /partner/stamp-cards/{id} |
write:stamps |
DELETE /partner/stamp-cards/{id} |
write:stamps |
POST /partner/stamp-cards/{id}/stamps |
write:stamps |
POST /partner/stamp-cards/{id}/redeem |
write:stamps |
Vouchers
| Endpoint |
Required Scope |
GET /partner/vouchers |
read or write:vouchers |
GET /partner/vouchers/{id} |
read or write:vouchers |
POST /partner/vouchers |
write:vouchers |
PUT /partner/vouchers/{id} |
write:vouchers |
DELETE /partner/vouchers/{id} |
write:vouchers |
POST /partner/vouchers/validate |
write:vouchers |
POST /partner/vouchers/{id}/redeem |
write:vouchers |
Tiers
| Endpoint |
Required Scope |
GET /partner/tiers |
read or write:tiers |
GET /partner/tiers/{id} |
read or write:tiers |
POST /partner/tiers |
write:tiers |
PUT /partner/tiers/{id} |
write:tiers |
DELETE /partner/tiers/{id} |
write:tiers |
Staff
| Endpoint |
Required Scope |
GET /partner/staff |
read or write:staff |
GET /partner/staff/{id} |
read or write:staff |
POST /partner/staff |
write:staff |
PUT /partner/staff/{id} |
write:staff |
DELETE /partner/staff/{id} |
write:staff |
Member Profile
| Endpoint |
Required Scope |
GET /member/profile |
read |
PUT /member/profile |
write:profile |
Member Balance & Cards
| Endpoint |
Required Scope |
GET /member/balance |
read |
GET /member/cards |
read |
GET /member/cards/{id} |
read |
Member Transactions
| Endpoint |
Required Scope |
GET /member/transactions |
read |
GET /member/transactions/{cardId} |
read |
Member Rewards
| Endpoint |
Required Scope |
GET /member/rewards |
read |
POST /member/rewards/{id}/claim |
write:redeem |
Scope Errors
When a key lacks the required scope:
{
"error": true,
"code": "AUTH_INSUFFICIENT_SCOPE",
"message": "This action requires the 'write:cards' scope.",
"retry_strategy": "no_retry",
"details": {
"required_scope": "write:cards"
}
}
The retry_strategy is no_retry — the key cannot gain scopes dynamically. Create a new key with the required scopes instead.
Admin Partners
| Endpoint |
Required Scope |
GET /admin/partners |
read:partners |
GET /admin/partners/{id} |
read:partners |
PATCH /admin/partners/{id}/permissions |
write:partners |
POST /admin/partners/{id}/activate |
write:partners |
POST /admin/partners/{id}/deactivate |
write:partners |
Admin Members
| Endpoint |
Required Scope |
GET /admin/members |
read:members |
GET /admin/members/{id} |
read:members |
Admin Analytics
| Endpoint |
Required Scope |
GET /admin/analytics/overview |
read:analytics |
GET /admin/analytics/partners/{id} |
read:analytics |
Related Topics