Scopes
Permission scopes that control access to the Stemp API.
Scopes
Scopes control what actions an API token or OAuth2 app can perform. When creating an API token, select only the scopes your integration needs.
API & App Scopes
Templates
Access to wallet card templates
| Scope | Description |
|---|---|
template:read | Read templates |
template:create | Create templates |
template:update | Update templates |
template:delete | Delete templates |
Wallet Passes
Access to wallet passes
| Scope | Description |
|---|---|
pass:read | Read wallet passes |
pass:create | Create wallet passes |
pass:update | Update wallet passes |
pass:delete | Delete wallet passes |
Loyalty
Manage stamps and points
| Scope | Description |
|---|---|
loyalty:manage | Manage stamps and points (add, remove, redeem) |
Users
Access to end-users (customers)
| Scope | Description |
|---|---|
user:read | Read users |
user:create | Create users |
user:update | Update users |
Organization
Access to organization settings
| Scope | Description |
|---|---|
org:read | Read organization |
org:update | Update organization (name, slug, etc.) |
org:delete | Delete organization |
Organization Settings
Advanced organization settings
| Scope | Description |
|---|---|
org:settings:read | Read organization settings |
org:settings:update | Update organization settings |
Team Members
Access to organization members
| Scope | Description |
|---|---|
org:members:read | Read organization members |
org:members:manage | Manage organization members (add, remove, change roles) |
API Tokens
API token management
| Scope | Description |
|---|---|
api_token:manage | Manage API tokens |
Platform Scopes
Platform scopes are only available to installed apps (via OAuth2) and cannot be used with API tokens. They provide access to stemp infrastructure services.
| Scope | Description | Available for |
|---|---|---|
platform:email:send | Send emails via the stemp email infrastructure and view email logs | App only |
See the Platform API documentation for details on using platform services.
Scope Contexts
Not all scopes are available in all contexts:
| Context | Description | Example |
|---|---|---|
| API | Available for API tokens created in the console | pass:read, user:create |
| App | Available for OAuth2 app installations | pass:read, platform:email:send |
Some scopes are API-only (e.g., api_token:manage, app:manage) and some are app-only (e.g., platform:email:send). Most scopes are available in both contexts.
Best Practices
- Least privilege — request only the scopes your integration needs.
- Separate tokens — use different API tokens for different parts of your system with minimal scopes each.
- A typical POS integration only needs
pass:read,pass:create,loyalty:manage, anduser:read. - Platform scopes should only be requested if your app actively uses platform services like email.