Scope map for tokens

Most API calls require a bearer token to access data. This map shows the scope that applies to each Venafi endpoint.

How do I use the map?

You can use the map to decide the necessary scopes to declare in an API integration. The scopes and restrictions you need are based on the API calls that your client makes.

For example, my client has various REST calls that manage certificates and sets folder policy. So the scope looks like this: scope: certificate:discover,delete,manage,revoke. To get a token, I call an Authorize method, such as POST Authorize/OAuth. From the response, the reusable access token goes in the header of all my client calls. It is valid until it expires or I revoke the grant in the token.

TIP Your client can reuse the same token until it expires. As necessary, your client should track the expiration time and use the refresh token to get a new one. On exit, your client can revoke the token.

Available to all REST endpoints

When you specify another scope, you also automatically receive additional access to the any scope. For example, configuration:Manage grants the caller access to POST Log.

Scope with privilege restriction
Scope(s) with privilege restriction	Automatic access to these API methods
Available when you specify any valid scope, such as agent, certificate, or ssh	DELETE Preferences GET Config/DefaultDn GET Crypto/AvailableKeys GET Crypto/DefaultKey GET Identity/Self GET Log GET Log/{guid} GET Metadata/Items GET Permissions/Refresh GET PKS/Lookup/jwk GET PKS/Lookup/jwks GET Preferences GET SystemStatus GET SystemStatus/Upgrade/Engine GET SystemStatus/Upgrade/Engines GET SystemStatus/Upgrade/History GET SystemStatus/Upgrade/Status GET SystemStatus/Upgrade/Summary GET SystemStatus/Version POST Config/DnToGuid POST Config/GuidToDn POST Config/IdInfo POST ConfigSchema/Attributes POST ConfigSchema/Class POST Flow/Tickets/Count POST Flow/Tickets/CountApproved POST Flow/Tickets/Enumerate POST Flow/Tickets/EnumerateApproved POST Flow/Tickets/Load POST Flow/Tickets/Update POST Metadata/Find POST Metadata/FindItem POST Metadata/Get POST Metadata/GetItemGuids POST Metadata/GetItems POST Metadata/GetItemsForClass POST Metadata/GetPolicyItems POST Metadata/ReadEffectiveValues POST Metadata/ReadPolicy POST Preferences POST Workflow/Ticket/Details POST Workflow/Ticket/Enumerate POST Workflow/Ticket/Exists POST Workflow/Ticket/Status
any:Approve	POST Flow/Tickets/Approve POST Flow/Tickets/Reject POST Workflow/Ticket/UpdateStatus
any:Manage	POST Log POST Metadata/Set

Auth REST

Scope with privilege restriction
Scope(s) with privilege restriction	Automatic access to these API methods
<none> No privilege restriction is necessary	.Well-known/OpenGPGKey for WKD GET Authorize/Verify GET Revoke/Token PKS/Lookup POST Authorize/Certificate POST Authorize/Device POST Authorize/Integrated POST Authorize/Jwt POST Authorize/OAuth POST Authorize/Token refresh

CodeSign Protect REST

Each grant automatically includes access to methods in the any scope.

Implied scope with privilege restriction
Scope(s) with privilege restriction	Grants access to these API methods
codesignclient	POST API/GetGPGPublicKey from Key Server POST API/Sign POST API/SignJWT
Codesign	POST Codesign/CountReferences POST Codesign/EnumerateApplicationCollections POST Codesign/EnumerateApplications POST Codesign/EnumerateProjects POST Codesign/EnumerateReferences POST Codesign/EnumerateTemplates POST Codesign/FindEnvironment POST Codesign/GetApplication POST Codesign/GetApplicationCollection POST Codesign/GetApplicationCollectionMemberDNs POST Codesign/GetApplicationCollectionMembers POST Codesign/GetEnvironment POST Codesign/GetProject POST Codesign/GetTemplate
Codesign Requires caller to be a Code Signing Administrator	POST Codesign/AddApplicationAdministrator POST Codesign/AddProjectApprover POST Codesign/GetObjectRights POST Codesign/RemoveApplicationAdministrator POST Codesign/RemoveProjectApprover POST Codesign/RenameApplication POST Codesign/RenameApplicationCollection
Codesign:Approve	POST Codesign/AddPreApproval POST Flow/Actions/CodeSign/PreQualify/Create
Codesign:Delete	POST Codesign/DeleteApplication POST Codesign/DeleteApplicationCollection POST Codesign/DeleteEnvironment POST Codesign/DeleteProject POST Codesign/DeleteTemplate
Codesign:Manage	GET Codesign/ExportSignArchive GET Codesign/GetGlobalConfiguration POST Codesign/CreateApplication POST Codesign/CreateApplicationCollection POST Codesign/CreateEnvironment POST Codesign/CreateProject POST Codesign/CreateTemplate POST Codesign/ExportSignArchive POST Codesign/GetRight POST Codesign/GetTrusteeRights POST Codesign/RemoveAdministrator POST Codesign/RenameProject POST Codesign/RenameTemplate POST Codesign/RetrieveArchiveEntries POST Codesign/SetGlobalConfiguration POST Codesign/UpdateApplication POST Codesign/UpdateApplicationCollection POST Codesign/UpdateEnvironment POST Codesign/UpdateProject POST Codesign/UpdateProjectStatus POST Codesign/UpdateTemplate

Web SDK REST

Each grant automatically includes access to methods in the any scope.

Implied scope with privilege restriction
Scope(s) with privilege restriction	Grants access to these API methods
<none> No privilege restriction is necessary	GET ServerStatus GET ServerStatus/Active GET ServerStatus/Idle GET ServerStatus/Status GET SSHCertificates/Template/Retrieve/PublicKeyData
Admin No privilege restriction is necessary	POST OAuth/CreateApplication POST OAuth/CreateJwtMapping POST OAuth/CreateRule POST OAuth/DeleteApplication POST OAuth/DeleteJwtMapping POST OAuth/DeleteRule POST OAuth/DeleteRules POST OAuth/EnumerateApplications POST OAuth/EnumerateGrants POST OAuth/EnumerateJwtMappings POST OAuth/EnumerateRules POST OAuth/GetApplication POST OAuth/GetApplications POST OAuth/GetConfiguration POST OAuth/GetGrants POST OAuth/GetJwtMapping POST OAuth/GetJwtMappings POST OAuth/GetRole POST OAuth/GetRules POST OAuth/GetScopes POST OAuth/GrantCount POST OAuth/GrantRole POST OAuth/ListRoles POST OAuth/RevokeGrants POST OAuth/RevokeRole POST OAuth/SetConfiguration POST OAuth/TotalCount POST OAuth/UpdateApplication POST OAuth/UpdateJwtMapping POST OAuth/UpdateRule POST OAuth/UserCount
Admin:Delete
Admin:ViewLogs	GET Log/LogSchema
Admin:RecycleBin	POST RecycleBin/DeletionTask POST RecycleBin/Empty POST RecycleBin/GetConfiguration POST RecycleBin/GetContents POST RecycleBin/GetItem POST RecycleBin/GetItemDetails POST RecycleBin/Purge POST RecycleBin/PurgeTask POST RecycleBin/Restore POST RecycleBin/SetConfiguration
Agent No privilege restriction is necessary	All methods from the any privilege GET Client GET Client/Details GET Client/Work
Agent:Delete	All methods from the any and Agent scope POST Client/Delete
Certificate No privilege restriction is necessary	All methods from the any privilege GET Certificates GET Certificates/{guid} GET Certificates/{guid}/PreviousVersions GET Certificates/{guid}/ValidationResults GET PKI/HashiCorp/CA GET PKI/HashiCorp/CA/{guid} GET PKI/HashiCorp/Role/{guid} HEAD Certificates
Certificate:Delete	All methods from the any privilege DELETE Certificates/{guid} DELETE Discovery/{guid} DELETE PKI/HashiCorp/CA/{guid} DELETE PKI/HashiCorp/Role/{guid}
Certificate:Discover	All methods from the any privilege POST Certificates/Import POST Discovery/Import
Certificate:Manage	All methods from the any privilege GET Certificates/Retrieve GET Certificates/Retrieve/{vaultid} POST Certificates/Associate POST Certificates/CheckPolicy POST Certificates/Dissociate POST Certificates/Push POST Certificates/Renew POST Certificates/Request POST Certificates/Reset POST Certificates/Retrieve POST Certificates/Retrieve/{vaultid} POST Certificates/Retry POST Certificates/Validate POST PKI/HashiCorp/CA POST PKI/HashiCorp/CA/{guid} POST PKI/HashiCorp/CA/{guid}/Renew POST PKI/HashiCorp/Role POST X509CertificateStore/Add POST X509CertificateStore/Retrieve PUT Certificates/{guid} PUT PKI/HashiCorp/CA/{guid} PUT PKI/HashiCorp/Role/{guid}
Certificate:Revoke	All methods from the any privilege POST Certificates/Revoke
Configuration No privilege restriction is necessary	All methods from the any privilege GET ProcessingEngines GET SystemStatus GET SystemStatus/Version POST Config/ContainableClasses POST Config/CountObjects POST Config/Enumerate POST Config/EnumerateAll POST Config/EnumerateObjectsDerivedFrom POST Config/EnumeratePolicies POST Config/Find POST Config/FindContainers POST Config/FindObjectsOfClass POST Config/FindPolicy POST Config/GetHighestRevision POST Config/GetRevision POST Config/IsValid POST Config/Read POST Config/ReadAll POST Config/ReadDn POST Config/ReadDnReferences POST Config/ReadEffectivePolicy POST Config/ReadPolicy POST Identity/Browse POST Identity/GetAssociatedEntries POST Identity/GetMembers POST Identity/GetMemberships POST Identity/ReadAttribute POST Identity/Validate POST Metadata/LoadItem POST Metadata/LoadItemGuid
Configuration:Delete	All methods from the any privilege DELETE Identity/Group/(prefix)/{principal} DELETE ProcessingEngines/Folder/{folder guid} DELETE ProcessingEngines/Folder/{folder guid}/{engine guid} DELETE Teams/(prefix)/{universal} POST Config/Delete POST Metadata/UndefineItem POST Platform/Delete POST Workflow/Ticket/Delete
Configuration:Manage	All methods from the any privilege GET ProcessingEngines/Engine/{engine guid} GET ProcessingEngines/Folder/{folder guid} GET Teams/(prefix)/{universal} POST Config/AddDnValue POST Config/AddPolicyValue POST Config/AddValue POST Config/ClearAttribute POST Config/ClearPolicyAttribute POST Config/Create POST Config/MutateObject POST Config/RemoveDnValue POST Config/RemovePolicyValue POST Config/RenameObject POST Config/Write POST Config/WriteDn POST Config/WritePolicy POST Identity/AddGroup POST Metadata/DefineItem POST Metadata/SetPolicy POST Metadata/UpdateItem POST ProcessingEngines/Engine/{engine guid} POST Teams POST Workflow/Ticket/Create PUT Identity/AddGroupMembers PUT Identity/RemoveGroupMembers PUT Identity/RenameGroup PUT ProcessingEngines/Folder/{folder guid} PUT Teams/(prefix)/{universal} PUT Teams/AddTeamMembers PUT Teams/AddTeamOwners PUT Teams/DemoteTeamOwners PUT Team/RemoveTeamMembers PUT Teams/RenameTeam
Restricted No privilege restriction is necessary	All methods from the any privilege GET SecretStore/EncryptionKeysInUse GET SecretStore/Lookup POST SecretStore/LookupAllAssociationsbyVaultid POST SecretStore/LookupAssociationbyVaultID POST SecretStore/LookupByAssociation POST SecretStore/LookupByOwner POST SecretStore/LookupByVaultType POST SecretStore/OrphanLookup POST SecretStore/OwnerLookup POST X509CertificateStore/Lookup POST X509CertificateStore/LookupExpiring
Restricted:Delete	POST SecretStore/OwnerDelete POST X509CertificateStore/Remove
Restricted:Manage	All methods from the any scope POST SecretStore/Add POST SecretStore/Associate POST SecretStore/Dissociate POST SecretStore/Mutate POST SecretStore/OwnerAdd POST SecretStore/Retrieve
Security No privilege restriction is necessary	All methods from the any privilege GET Permissions/Object/(guid}/(ptype)/{principal} GET Permissions/Object/{guid} GET Permissions/Object/{guid}/(ptype)/(pname)/ {external}/Effective GET Permissions/Object/{guid}/local/{uuid}/Effective POST Credentials/Enumerate
Security:Delete	All methods from the any privilege DELETE Permissions/Object/{guid}/(ptype)/{principal} POST Credentials/Delete
Security:Manage	All methods from the any privilege DELETE Credentials/Connector/Adaptable/{guid} GET Credentials/Connector/Adaptable/{guid} POST Credentials/Adaptable/Create POST Credentials/Adaptable/Update POST Credentials/Connector/Adaptable POST Credentials/Create POST Credentials/CyberArk/Create POST Credentials/CyberArk/Update POST Credentials/Rename POST Credentials/Retrieve POST Credentials/Update POST Identity/SetPassword POST Permissions/Object/{guid}/(ptype)/{principal} PUT Credentials/Connector/Adaptable/{guid} PUT Permissions/Object/{guid}/(ptype)/{principal}
ssh No privilege restriction is necessary	All methods from the any privilege GET SSH/KeysetDetails GET SSH/Widget/CriticalAlerts GET SSH/Widget/PolicyViolations GET SSH/Widget/Stats POST SSH/Devices POST SSH/ExportSelfServiceAuthorizedKey POST SSH/ExportSelfServicePrivateKey POST SSH/KeyDetails POST SSH/KeysetDetails POST SSH/KeyUsage POST SSH/TestDeviceConnection
ssh:Approve	POST SSH/ApproveKeyOperation POST SSH/RejectKeyOperation
ssh:Delete	All methods from the any privilege POST SSH/DeleteUnmatchedKeyset POST SSH/RemoveKey
ssh:Discover	All methods from the any privilege POST SSH/ImportAuthorizedKey POST SSH/ImportKeyUsageData POST SSH/ImportPrivateKey
ssh:Manage	All methods from the any privilege GET SSHCertificates/Template/Retrieve/PublicKeyData POST SSH/AddAuthorizedKey POST SSH/AddHostPrivateKey POST SSH/AddKnownHostKey POST SSH/AddSelfServiceAuthorizedKey POST SSH/AddSelfServicePrivateKey POST SSH/AddUserPrivateKey POST SSH/CancelKeyOperation POST SSH/CancelRotation POST SSH/ChangePrivateKeyPassphrase POST SSH/ConfirmSelfServiceKeyInstallation POST SSH/EditKeyOptions POST SSH/EditSelfServiceAuthorizedKey POST SSH/MoveKeysetsToPolicy POST SSH/RetryKeyOperation POST SSH/RetryRotation POST SSH/Rotate POST SSH/SetUnmatchedKeysetPassPhrase POST SSH/SkipKeyRotation POST SSHCertificates/CAKeyPair/Create POST SSHCertificates/Request POST SSHCertificates/Retrieve POST SSHCertificates/Template/Retrieve
Statistics	POST Stats/GetCounters POST Stats/Query