Back to Docs
Scopes & Permissions
API keys can be restricted to specific scopes. Each scope controls access to a group of related endpoints. JWT users bypass scope checks and have full access.
| Scope | Description |
|---|---|
passes:read | View passes, their status, and details |
passes:write | Issue, update, revoke passes, check-in tickets, send notifications, batch operations |
templates:read | View pass templates and their configurations |
templates:write | Create, update, publish, archive, and delete templates |
events:read | View events, statistics, and registrations |
events:write | Create and manage events, enable/disable registration, cancel registrations |
analytics:read | View dashboard statistics, charts, and reports |
assets:read | View uploaded image assets |
assets:write | Upload and delete image assets |
tenants:read | View organization information |
validate:write | Validate QR codes and check-in passes at events |
JWT Users
When authenticated via JWT (dashboard login), scope restrictions do not apply. JWT users have full access to all endpoints based on their role.
API Key Users
API key users must have ALL required scopes for an endpoint. If a key is missing a scope, the request will receive a 403 Forbidden error listing the missing scope(s).
Restricted Endpoints
The following endpoints are NOT accessible via API keys:
- •
POST /auth/register — Account creation is platform-only - •
POST /auth/login — Login is for dashboard sessions only - •
POST /auth/refresh — Token refresh is for JWT sessions only - •
All /users endpoints — User management requires JWT + role-based access - •
PATCH /tenants/current — Org settings update requires JWT