Scope map for tokens
Most API calls require a bearer token to access data. This map shows the scope that applies to each Venafi endpoint.
How do I use the map?
You can use the map to decide the necessary scopes to declare in an API integration. The scopes and restrictions you need are based on the API calls that your client makes.
For example, my client has various REST calls that manage certificates and sets folder policy. So the scope looks like this: scope: certificate:discover,delete,manage,revoke. To get a token, I call an Authorize method, such as POST Authorize/Oauth. From the response, the reusable access token goes in the header of all my client calls. It is valid until it expires or I revoke the grant in the token.
TIP Your client can reuse the same token until it expires. As necessary, your client should track the expiration time and use the refresh token to get a new one. On exit, your client can revoke the token.
When you specify another scope, you also automatically receive additional access to the any scope. For example, configuration:Manage grants the caller access to POST Log.
Scope(s) with |
Automatic access to these API methods |
---|---|
<none> No privilege |
Each grant automatically includes access to methods in the any scope.
Each grant automatically includes access to methods in the any scope.