When requesting an access token, users can specify the required access level (called scope) which defines what type of functionality they want to use, and whether requests will only read data or also modify it.
Scopes are required and validated for private methods. If you only plan to use public methods, you can use the default scope values.📖 Related Support Article:Connection Management
Scopes are assigned when you create an API key, either through the web interface or via the API. The scopes you select during key creation define the maximum permissions that can be granted when authenticating with that key. When you authenticate using public/auth, you can request specific scopes, but they cannot exceed the scopes assigned to your API key.
These scopes control how tokens are bound to connections and sessions:
Scope
Description
connection
Access is granted for the duration of the connection (or until expiration). When the connection closes, users must repeat authentication to get new tokens. Set automatically by the server when neither connection nor session scope is specified.
session:name
Creates a new session with the specified name, generating tokens bound to the session. Allows reconnection and token reuse within session lifetime. Maximum 16 sessions per user. For WebSocket: enables skipping access_token in subsequent requests.
mainaccount
Set automatically by the server when the connecting user’s credentials belong to the main account, otherwise not included in the final scope.
These scopes define what API functionality your token can access. Each functional area supports both read-only (:read) and read-write (:read_write) access levels.
These parameters configure token behavior and security settings:
Parameter
Description
expires:NUMBER
Set token expiration time to NUMBER seconds.
ip:ADDR
Restrict token usage to specific IPv4 address. Use * to allow all IP addresses.
⚠️ NOTICE: Depending on choosing an authentication method (grant type) some scopes could be narrowed by the server or limited by user API key configured scope, e.g. when grant_type = client_credentials and scope = wallet:read_write could be modified by the server as scope = wallet:read.The user shouldn’t assume that requested values are blindly accepted and should verify assigned scopes.
