Scopes

This document outlines the available security scopes within the platform and the specific endpoints they grant access to.

Administrative Scopes

`admin`

Grants full administrative access to system configurations, health monitoring, index management, system defaults, and elevated user management operations.

POST /api/users/password-recovery: Recover Password
GET /api/admin/config/: Get all config keys
GET /api/admin/config/mail/verify: Verify Mail Config
GET /api/admin/config/{key}: Get config by key
PATCH /api/admin/config/{key}: Update config partially
PUT /api/admin/config/{key}: Replace config
GET /api/admin/health/: Return all service health snapshots
GET /api/admin/health/{full_service_name}: Return detailed service health snapshot
POST /api/activate/: Prepare bootstrap admin
GET /api/admin/sessions/: List Sessions
GET /api/admin/sessions/{id}: Get Session by ID
DELETE /api/admin/sessions/{id}: Delete Session by ID
GET /api/admin/indexes/models: Get list of available models for index management
GET /api/admin/indexes/{model_name}/status: Get index status for a model
POST /api/admin/indexes/{model_name}/cleanup: Clean up dead indexes for a model
POST /api/admin/indexes/{model_name}/recreate: Recreate missing indexes for a model
POST /api/admin/indexes/{model_name}/recreate-all: Recreate all indexes for a model (drop and recreate)
GET /api/admin/defaults/: List default object recreate targets
POST /api/admin/defaults/all/recreate: Force recreate all default objects
POST /api/admin/defaults/assets/recreate: Force recreate default asset objects
POST /api/admin/defaults/blueprints/recreate: Force recreate default blueprint objects
POST /api/admin/defaults/forms/recreate: Force recreate default form objects
POST /api/admin/defaults/menu/recreate: Force recreate default menu objects
POST /api/admin/defaults/scope-sets/recreate: Force recreate default scope set objects
POST /api/admin/defaults/templates/recreate: Force recreate default template objects
POST /api/admin/defaults/themes/recreate: Force recreate default theme objects
POST /api/admin/users/: Create a new user (admin-only)

`admin:read`

Grants read-only access to administrative metadata.

GET /api/admin/sessions/filters: Get Session filter metadata

API Keys Management

`apikeys:read`

Grants read access to API key records and filters.

GET /api/admin/api-keys/: List Api Keys
GET /api/admin/api-keys/filters: Get Api Key filter metadata
GET /api/admin/api-keys/{id}: Get Api Key by ID

`apikeys:write`

Grants permissions to generate, modify, and delete API keys.

GET /api/admin/api-keys/scopes: Get all available API key scopes
POST /api/admin/api-keys/: Create API key
DELETE /api/admin/api-keys/{id}: Delete Api Key by ID

`store:read`

Grants read access to folders, assets, and share links.

GET /api/store/: Get Store Object By Url
GET /api/store/asset/: List Assets
GET /api/store/asset/download: Download Assets
GET /api/store/asset/filters: Get Asset filter metadata
GET /api/store/asset/{id}: Get Asset by ID
GET /api/store/asset/{id}/shares: Get Asset Shares
GET /api/store/folder/: List Folders
GET /api/store/folder/filters: Get Folder filter metadata
GET /api/store/folder/{id}: Get Folder by ID
GET /api/store/folder/{id}/download: Download Folder
GET /api/store/folder/{id}/shares: Get Folder Shares
GET /api/share/: List Shares
GET /api/share/download/{token}: Download Share By Token
GET /api/share/filters: Get Share filter metadata
GET /api/share/{id}: Get Share by ID

`store:write`

Grants permissions to upload, update, and delete assets and folders.

POST /api/store/asset/upload: Upload Asset
PUT /api/store/asset/{id}: Update Asset by ID
PATCH /api/store/asset/{id}: Patch Asset
DELETE /api/store/asset/{id}: Delete Asset by ID
POST /api/store/folder/: Create Folder
PUT /api/store/folder/{id}: Update Folder by ID
PATCH /api/store/folder/{id}: Patch Folder
DELETE /api/store/folder/{id}: Delete Folder by ID
PUT /api/share/{id}: Update Share by ID
PATCH /api/share/{id}: Patch Share
DELETE /api/share/{id}: Delete Share by ID

`store:share`

Grants permissions to create and distribute external share links.

POST /api/share/: Create Share
POST /api/share/send_email: Send Share Email

Blueprints & Factory Assemblies

`blueprints:read`

Grants read access to workflow blueprints and factory tickets.

GET /api/factory/workflows/: List Blueprints
GET /api/factory/workflows/filters: Get Blueprint filter metadata
GET /api/factory/workflows/{id}: Get Blueprint by ID
GET /api/factory/workflows/{id}/thumbnail: Get thumbnail for workflow template by ID
GET /api/factory/tickets/: List Tickets
GET /api/factory/tickets/filters: Get Ticket filter metadata
GET /api/factory/tickets/{id}: Get Ticket by ID

`blueprints:write`

Grants permissions to create and manage workflow blueprints.

POST /api/factory/workflows/: Create Blueprint
POST /api/factory/workflows/{id}/thumbnail: Upload thumbnail for Blueprint by ID
PUT /api/factory/workflows/{id}: Update Blueprint by ID
PATCH /api/factory/workflows/{id}: Patch Blueprint
DELETE /api/factory/workflows/{id}: Delete Blueprint by ID

`assemblies:read`

Grants read access to factory assemblies, tasks, and related mail templates.

GET /api/factory/history/: List Assemblys
GET /api/factory/history/filters: Get Assembly filter metadata
GET /api/factory/history/{id}: Get Assembly by ID
GET /api/factory/mailtemplates/: List Mail Templates
GET /api/factory/mailtemplates/filters: Get Mail Template filter metadata
GET /api/factory/tasks/: List Tasks
GET /api/factory/tasks/filters: Get Task filter metadata
GET /api/factory/tasks/{id}: Get Task by ID

`assemblies:write`

Grants permissions to manage and delete assembly execution histories.

DELETE /api/factory/history/{id}: Delete Assembly by ID
GET /api/factory/smartnames: Get smartnames
GET /api/factory/store: Get Store Object By Url
DELETE /api/factory/tasks/{id}: Delete Task by ID
GET /api/factory/ucs-allowed-scopes: Get factory UCS allowed scopes

Forms & Form Submissions

`forms:read`

Grants read access to dynamic forms and their configurations.

GET /api/form/: List Forms
GET /api/form/filters: Get Form filter metadata
GET /api/form/{url_or_id}: Open the form by URL or Id

`forms:submit`

Grants permissions to submit data and upload files to active forms.

POST /api/form/{id}: Submit the form by ID
POST /api/form/{id}/upload: Upload Files to Form by ID

`form_submissions:read`

Grants read access to historical form submission records.

GET /api/form/history/: List Form Submissions
GET /api/form/history/filters: Get Form Submission filter metadata
GET /api/form/history/{id}: Get Form Submission by ID

`form_submissions:write`

Grants permissions to delete form submission records.

DELETE /api/form/history/{id}: Delete Form Submission by ID

`formbuilder:read`

Grants read access to the form builder tools and templates.

GET /api/formbuilder/: List Forms
GET /api/formbuilder/filters: Get Form filter metadata
GET /api/formbuilder/{id}: Get Form by ID
GET /api/formbuilder/{id}/thumbnail: Get thumbnail for Dynamic Form by ID

`formbuilder:write`

Grants permissions to create, update, and manage dynamic forms in the builder.

POST /api/formbuilder/: Create Form
POST /api/formbuilder/{id}/thumbnail: Upload thumbnail for Dynamic Form
PUT /api/formbuilder/{id}: Update Form by ID
PATCH /api/formbuilder/{id}: Patch Form
DELETE /api/formbuilder/{id}: Delete Form by ID

Groups & Users

`groups:read`

Grants read access to user groups and their member lists.

GET /api/admin/groups/: List Groups
GET /api/admin/groups/filters: Get Group filter metadata
GET /api/admin/groups/{id}: Get Group by ID
GET /api/admin/groups/{id}/users: Get Group Users

`groups:write`

Grants permissions to create groups and manage group memberships.

POST /api/admin/groups/: Create Group
PUT /api/admin/groups/{id}: Update Group by ID
PATCH /api/admin/groups/{id}: Patch Group
DELETE /api/admin/groups/{id}: Delete Group by ID
POST /api/admin/groups/{id}/users/{user_id}: Add Users To Group
DELETE /api/admin/groups/{id}/users/{user_id}: Remove Users From Group

`users:read`

Grants read access to user account records.

GET /api/admin/users/: List Users
GET /api/admin/users/filters: Get User filter metadata
GET /api/admin/users/{id}: Get User by ID

`users:write`

Grants permissions to modify existing user records, unlock accounts, and manage avatars.

GET /api/admin/users/check-email-unique: Check if email is unique
GET /api/admin/users/check-login-unique: Check if login is unique
PUT /api/admin/users/{id}: Update User by ID
PATCH /api/admin/users/{id}: Patch User
DELETE /api/admin/users/{id}: Delete User by ID
POST /api/admin/users/{id}/avatar: Set user avatar
DELETE /api/admin/users/{id}/avatar: Delete user avatar
POST /api/admin/users/{id}/unlock: Unlock user

Logging & Audits

`audit:read`

Grants read access to system audit logs.

GET /api/logging/audit/: List Audit Logs
GET /api/logging/audit/filters: Get Audit Log filter metadata
GET /api/logging/audit/{id}: Get Audit Log by ID

`audit:write`

Grants permissions to delete audit log entries.

DELETE /api/logging/audit/{id}: Delete Audit Log by ID

`logging:read`

Grants read access to system execution logs.

GET /api/logging/system/: List System Logs
GET /api/logging/system/filters: Get System Log filter metadata
GET /api/logging/system/{id}: Get System Log by ID

`logging:write`

Grants permissions to delete system log entries.

DELETE /api/logging/system/{id}: Delete System Log by ID

Mail Templates

`mail_templates:read`

Grants read access to HTML mail templates.

GET /api/mailtemplates/: List Mail Templates
GET /api/mailtemplates/filters: Get Mail Template filter metadata
GET /api/mailtemplates/{id}: Get Mail Template by ID

`mail_templates:write`

Grants permissions to create, update, and delete mail templates.

POST /api/mailtemplates/: Create Mail Template
PUT /api/mailtemplates/{id}: Update Mail Template by ID
PATCH /api/mailtemplates/{id}: Patch Mail Template
DELETE /api/mailtemplates/{id}: Delete Mail Template by ID

Scope Sets

`scope_sets:read`

Grants read access to security scope sets.

GET /api/admin/scope-sets/: List Scope Sets
GET /api/admin/scope-sets/filters: Get Scope Set filter metadata
GET /api/admin/scope-sets/{id}: Get Scope Set by ID

`scope_sets:write`

Grants permissions to create, modify, and delete security scope sets.

POST /api/admin/scope-sets/: Create Scope Set
PUT /api/admin/scope-sets/{id}: Update Scope Set by ID
PATCH /api/admin/scope-sets/{id}: Patch Scope Set
DELETE /api/admin/scope-sets/{id}: Delete Scope Set by ID

Themes

`themes:read`

Grants read access to UI themes.

GET /api/themes/: List Theme Configs
GET /api/themes/active: Get active theme
GET /api/themes/filters: Get Theme Config filter metadata
GET /api/themes/{id}: Get Theme Config by ID

`themes:write`

Grants permissions to create, modify, and activate UI themes.

POST /api/themes/: Create Theme Config
POST /api/themes/{id_or_name}/activate: Activate theme
PUT /api/themes/{id}: Update Theme Config by ID
PATCH /api/themes/{id}: Patch Theme Config
DELETE /api/themes/{id}: Delete Theme Config by ID

User Interface (UI) Variables

`ui:read`

Grants read access to UI components, variables, and categories.

GET /api/ui/: Get style config
GET /api/ui/categories/: List Ui Categorys
GET /api/ui/categories/filters: Get Ui Category filter metadata
GET /api/ui/categories/{id}: Get Ui Category by ID
GET /api/ui/menu: Get menu config
GET /api/ui/variables/: List Ui Variables
GET /api/ui/variables/filters: Get Ui Variable filter metadata
GET /api/ui/variables/{id}: Get Ui Variable by ID

`ui:write`

Grants permissions to create, update, and manage UI variables and categories.

POST /api/ui/categories/: Create Ui Category
PUT /api/ui/categories/categories/{id}: Update Ui Category by ID
PATCH /api/ui/categories/categories/{id}: Patch Ui Category
DELETE /api/ui/categories/categories/{id}: Delete Ui Category by ID
POST /api/ui/variables/: Create Ui Variable
PUT /api/ui/variables/variables/{id}: Update Ui Variable by ID
PATCH /api/ui/variables/variables/{id}: Patch Ui Variable
DELETE /api/ui/variables/variables/{id}: Delete Ui Variable by ID

Self (Authenticated User)

`self:write`

Grants permissions for users to manage their own profiles and avatars.

POST /api/self/avatar: Upload avatar for self
DELETE /api/self/avatar: Delete avatar for self
PUT /api/self: Replace User Self
PATCH /api/self: Update User Self
DELETE /api/self: Commit Suicide

Note: Endpoints like reading self data, logging out, and managing active sessions require basic authentication but do not explicitly require the self:write scope.

Scopes ​

Administrative Scopes ​

admin ​

admin:read ​

API Keys Management ​

apikeys:read ​

apikeys:write ​

Asset Store & Sharing ​

store:read ​

store:write ​

store:share ​

Blueprints & Factory Assemblies ​

blueprints:read ​

blueprints:write ​

assemblies:read ​

assemblies:write ​

Forms & Form Submissions ​

forms:read ​

forms:submit ​

form_submissions:read ​

form_submissions:write ​

formbuilder:read ​

formbuilder:write ​

Groups & Users ​

groups:read ​

groups:write ​

users:read ​

users:write ​

Logging & Audits ​

audit:read ​

audit:write ​

logging:read ​

logging:write ​

Mail Templates ​

mail_templates:read ​

mail_templates:write ​

Scope Sets ​

scope_sets:read ​

scope_sets:write ​

Themes ​

themes:read ​

themes:write ​

User Interface (UI) Variables ​

ui:read ​

ui:write ​

Self (Authenticated User) ​

self:write ​