Guides

Scopes best practices

Suggest Edits

Effective management of scopes is essential for secure and efficient access to resources. Follow these best practices:

Apply the principle of least privilege at both levels

Grant only the minimum necessary permissions at both levels:

  • Company level: Ensure your company's overall scope configuration grants only the minimum necessary permissions. This defines the maximum capabilities available to all your API credentials.
  • Credential level: Assign only the specific scopes required for each individual API credential. Avoid excessive permissions that are not needed.

πŸ‘€

A platform admin can review current scopes in the API v2 admin dashboard. For more information, see Manage API credentials.

Synchronize credentials with company-level scope changes

  • Proactively add new scopes: When you introduce new company-level scopes, add them to your specific API credentials as needed.
  • Understand automatic restriction application: Company-level scope restrictions automatically apply to all your existing API credentials for enhanced security.

πŸ’‘

You don’t need to generate a new token when updating API credentials. Scopes changes take effect immediately, and existing tokens will reflect the updated permissions.

Consider future needs

  • Plan for future features or integrations, but avoid over-permissioning upfront at either the company or credential level.
  • Request additional permissions only as needed when adding new features or integrations (rather than upfront).

Secure scope management

  • Review and update: Regularly audit and adjust scopes (both company and credential) to align with evolving requirements and security policies.
  • Revoke unnecessary scopes: Immediately remove any scopes (at either level) that are no longer necessary to prevent unauthorized access.

Updated 3 months ago