Scopes for token

An access token ties together the scopes and restrictions your integration needs to read or write, and interact with our products. First, in either the UI or using the Grant management endpoints, you set up and register scopes that your API client will use. For more information, see Setting up access token authentication.

After setup, you get a token from an Authorize method, such as POST Authorize/OAuth. Use all or part of the scope that matches the API application (known as an integration in the UI). The integration JSON matches Venafi endpoints that your client will use. The token in the response goes in the header of each client API call. When your client completes its task, it can revoke its token.

Client ID is the Application ID

In the UI and the Authorize call, what scopes and restrictions do I use?

The UI values you specify are the same ones you pass in the Authorize scope parameter. You can specify basic scopes and restrictions based on the purpose of the integration. If the integration needs a specific grant, find the endpoint in the Scope map for tokens. Each endpoint also has a section in this guide that provides additional policy and role information.

What scope and restrictions are available? 

Scope and Developer Example

Privileges and Restrictions

Approve Delete Discover

Manage

Revoke

[Other]

admin
scope: admin:recyclebin,delete

 

 

 

 

recyclebin

agent
scope: agent:delete

 

 

 

 

 

certificate
scope: certificate:approve,delete,discover,manage,revoke

 

codesign

scope: codesign:approve,delete,manage

 

 

codesignclient
scope: codesignclient

 

 

 

 

 

This is a read-only privilege.

configuration
scope: configuration:delete,manage

 

 

 

 

restricted
scope:restricted:delete,manage

 

 

 

 

security
scope: security:delete,manage

 

 

 

 

ssh
scope: ssh:approve,delete,discover,manage

 

 

statistics (requires Vendor integration)
scope:statistics

 

 

 

 

 

This is a read-only privilege.

(Read access) Specify a scope.
scope:certificate

(Many scopes) Use a semi-colon (;)
between each scope.
scope:ssh;certif
icate:discover,manage
;
configuration:manage