Scopes
OAuth scopes governing what a token can access.
A token (dashboard or OAuth) carries a fixed set of scopes, set at
creation time. Each endpoint declares the scope(s) it requires; a
request from a token missing that scope returns
403 forbidden.
The list
| Scope | Grants |
|---|---|
openid | Identity claims (OIDC). Required for OAuth login flows. |
offline_access | Issuance of a refresh token alongside the access token. Without it, the access token can't be refreshed and the user must re-authorize after expiry. |
documents.read | List, get, search documents. |
documents.write | Upload, update, delete documents. |
links.read | List, get share links. |
links.write | Create, update, delete share links. |
datarooms.read | List, get datarooms; list documents inside a dataroom. |
datarooms.write | Create, update, delete datarooms; add/remove documents. |
analytics.read | Read view analytics for documents, links, and datarooms. |
visitors.read | List visitors and their view history. |
No implicit hierarchy
documents.write does not imply documents.read. Each scope is
independent. If your integration needs to both read and write, grant
both. The reason: it lets you mint write-only tokens for systems that
push data in but shouldn't be able to read it back out (e.g., an
ingestion worker).
Picking the smallest set
A good rule: start with the read-only scope you need, then add write scopes one at a time as you discover you need them. The dashboard's token-creation UI shows which endpoints each scope unlocks.
For OAuth integrations, scope strings are space-separated:
scope=documents.read links.read offline_accessDon't request * or wildcards — they're not supported. The token
endpoint will reject unknown scopes.
Per-endpoint requirements
Each endpoint page in the API reference declares its required scope under the Authorization section. Examples:
| Endpoint | Required scope |
|---|---|
GET /v1/documents | documents.read |
POST /v1/documents | documents.write |
POST /v1/links | links.write |
GET /v1/analytics/documents/{id} | analytics.read |