Scopes
OAuth scopes control what actions a token is authorized to perform. The RSA Platform uses both coarse scopes (bundles) and granular scopes (individual operations).
Coarse Scopes (Recommended)
| Scope | Access | Includes |
|---|---|---|
platform.read | Read-only Platform API | Tenant list, retailer status, audit log |
platform.write | Write access Platform API | Create tenant, provision retailer, update features |
admin.read | Read-only Admin API | Stores, offers, campaigns, users, vendors |
admin.write | Write access Admin API | Create/update/delete all Admin API resources |
shopper.read | Read-only Shopper API | Profile, offers, loyalty balance, campaigns |
shopper.write | Write access Shopper API | Update profile, enroll campaigns, redeem points |
pos.read | Read-only POS API | Member lookup, offer resolution, basket read |
pos.write | Write access POS API | Create baskets, earn/redeem points, finalize |
Granular Scope Examples
Granular scopes are prefixed with the resource: offers:read, loyalty:points:redeem, pos:baskets:create, pos:receipts:read.
Use coarse scopes unless you need minimal-privilege grants for specific capabilities.
Scope Selection by Integration Type
| Integration | Recommended Scopes |
|---|---|
| POS terminal (full) | pos.read pos.write |
| POS terminal (read-only, e.g. display) | pos.read |
| Shopper mobile app | shopper.read shopper.write openid |
| Backend reporting service | admin.read |
| Admin portal | admin.read admin.write openid |
| Platform management service | platform.read platform.write |
| ETL / data pipeline | admin.read or granular offers:read |
Requesting Scopes
Specify scopes in the scope parameter of your token request:
# Client credentials
curl -X POST http://localhost:5000/connect/token \
-d "grant_type=client_credentials" \
-d "client_id=YOUR_ID" \
-d "client_secret=YOUR_SECRET" \
-d "scope=admin.read admin.write"
Your OAuth app registration must have the scope pre-authorized. Requesting a scope not registered for your app will result in the scope being silently excluded or a 400 Bad Request.
Feature-Gated Scopes
Some granular scopes are only included in tokens when the corresponding feature flag is enabled for the retailer. For example, pos:receipts:read is only emitted when the digital-receipts feature is active. See Feature Entitlements.