Standard Scopes
All scopes follow theresource:action[:constraint] format defined in Scopes.
Calendar
Payments
Files
Contacts
Profile
Notifications
Database
API
Admin
Constraint Patterns
Constraints are the optional third segment of a scope string. They narrow the permission granted:
Constraints are validated by the consuming service, not by Grantex itself. Grantex stores and delivers them in the
scp claim — your application enforces the constraint logic.
Custom Scope Guidelines
When your application needs scopes beyond the standard registry:Naming Convention
Follow theresource:action[:constraint] format:
Recommendations
- Use lowercase — scope strings should be entirely lowercase with colons as separators
- Keep resources singular or use a clear noun —
order:read, notreading-orders - Use standard actions — prefer
read,write,create,delete,send,approve,manage,admin - Add constraints only when needed — constraints should narrow a broad permission, not replace fine-grained scopes
- Document scopes — include descriptions when registering agents so users see clear consent prompts
Registering Custom Scopes
Declare your custom scopes when registering an agent:Scope Compatibility
Grantex supports wildcard matching for scope checking. A broader scope satisfies a narrower requirement:
Wildcard scopes (
resource:*) are useful for trusted internal agents that need full access to a resource domain.