Scopes
OAuth scopes governing what a token can access.
A token (dashboard or OAuth) carries a fixed set of scopes, set at
creation time. Each endpoint declares the scope(s) it requires; a
request from a token missing that scope returns
403 forbidden.
The list
Granular scopes
Pick these à la carte for least-privilege tokens.
| Scope | Grants |
|---|---|
openid | Identity claims (OIDC). Required for OAuth login flows. |
offline_access | Issuance of a refresh token alongside the access token. Without it, the access token can't be refreshed and the user must re-authorize after expiry. |
documents.read | List, get, search documents and folders; list document versions. |
documents.write | Upload, update, delete documents; create/move/delete folders; add and promote document versions. |
links.read | List, get share links. |
links.write | Create, update, revoke share links. |
datarooms.read | List, get datarooms; list documents and folders inside a dataroom. |
datarooms.write | Create, update, delete datarooms; attach documents; manage dataroom folders. |
analytics.read | Read view analytics for documents, links, and datarooms. |
visitors.read | List visitors and their view history. |
Preset (mega) scopes
Forward-compatible coarse grants — when new resources ship, existing tokens with these scopes pick them up without re-rolling.
| Scope | Grants |
|---|---|
apis.read | Every *.read granular scope, plus any read-only scope added in the future. |
apis.all | Every granular scope (read and write), plus anything added in the future. |
A token created with a preset alongside granular scopes is normalized server-side: a token with apis.all keeps only apis.all; a token with apis.read keeps only apis.read.
No implicit hierarchy
documents.write does not imply documents.read. Each scope is
independent. If your integration needs to both read and write, grant
both. The reason: it lets you mint write-only tokens for systems that
push data in but shouldn't be able to read it back out (e.g., an
ingestion worker).
Picking the smallest set
A good rule: start with the read-only scope you need, then add write scopes one at a time as you discover you need them. The dashboard's token-creation UI shows which endpoints each scope unlocks.
For OAuth integrations, scope strings are space-separated:
scope=documents.read links.read offline_accessDon't request * or wildcards — they're not supported. The token
endpoint will reject unknown scopes.
Per-endpoint requirements
Each endpoint page in the API reference declares its required scope under the Authorization section. Examples:
| Endpoint | Required scope |
|---|---|
GET /v1/documents | documents.read |
POST /v1/documents | documents.write |
POST /v1/links | links.write |
GET /v1/analytics/documents/{id} | analytics.read |