Scopes

Using Scopes

Nearly every route in the API has an associated scope required to use it. If your client or (Access Token in the case of OAuth) doesn’t have the required scope, you’ll be given an error with the 403 Forbidden response code.

There are 4 scopes with both read and write access available for each. Write access implies read access, so there’s no reason to duplicate them.

all clients

read only

Can get the API landing page(/), /help, and /data/* routes. Regardless of scope, all clients can do these things.

account

read

Can read from /account/*, /events/*, /ext_accounts/*, and /users/{email}/

write

Can write to /events/*, /ext_accounts/*

public

read

Can read from /ranks, /reviews, /features, and /products operations without knowing account products

write

No Additional Access

private

read

Can read from /ads, /sales, /archive, and /payments. NOTE: some private routes return products as part of their representation.

write

No Additional Access

products

read

Can GET account’s products: /products/mine and /ext_accounts/{id}/products. Products become available in the /users/* routes as well. NOTE: some routes with private scope return products as part of their representation.

write

Can PUT to /products/{product_id} to change active/hidden status.

Whenever you create an API Client (that is to say get a Client Key and Secret), you’ll be prompted to select a default scope. All requests using HTTP Authentication will use that scope no matter what.

When using OAuth you can further limit the scope to make it more strict than what you initially specified. You use the X-OAuth-Scope header to do this, and pass it a comma separated list of scopes. Scopes are represented by the name followed by a colon and whether you’d like read or write access.

For example, to write to products and read from private data and the account I’d set the header like this:

   X-OAuth-Scope: products:write, private:read, account:read