Token Auth scope

In most cases POST Authorize/OAuth, POST Authorize/Certificate, and POST Authorize/Integrated require a scope. The scope parameter requests access to a set of resources to make future API calls. Some APIs may require additional Token Auth privilege restrictions.

Depending on the set of API calls your application needs, you pass a set of scopes and restrictions in a single scope parameter. The following scopes are available:

  • [None]: No scope is required. For example, no scope is required for POST Authorize/Token refresh.
  • Agent: Access to Agent resources and the Any valid scope, such as agent, certificate, or SSH grants. For example, GET Client/Details requires an agent scope.
  • Certificate: Access to certificates and the Any valid scope, such as agent, certificate, or SSH grants. For example, POST Certificates/Request requires the certificate scope.
  • Code Signing: Access to Venafi CodeSign Protect endpoints.
  • Configuration: Access to Trust Protection Platform objects, such as the policy folder, metadata, engines, workflow tickets, and the Any valid scope, such as agent, certificate, or SSH grants. For example, POST Config/Find requires the configuration scope.
  • Restricted: Access to low level work and the Any valid scope, such as agent, certificate, or SSH grants. For example POST SecretStore/LookupByVaultType requires the restricted scope.
  • Security: Access to credentials and permissions and the Any valid scope, such as agent, certificate, or SSH grants. For example, DELETE Permissions/Object/{guid}/(ptype)/{principal} requires the security scope.
  • SSH: Access to SSH keys and the Any valid scope, such as agent, certificate, or SSH grants. For example, POST SSH/KeysetDetails requires the ssh scope.
  • statistics: Access to internal counters that monitor API usage for reporting purposes.