Scopes

With oAuth2, APIs are assigned permissions based on scope. In the security field, this is called authorization. That is different from using just an API Key, which only does authentication, such as logging in.

export enum Scopes {
  ConsentWrite = 'consent-insert-api',
  ConsentRead = 'consent-get-api',
  SubjectProfileManage = 'subject-profile-manage',
}

You can only access an API when granted a particular scope. Scope is an argument that you pass to the Wirewheel Identity Provider when you request an oAuth2 bearerToken.

👍

Granting Scopes

Per the RFC oAuth2 standard, allowed scopes are stored in the Identity Management application. All developers can request any scope, since there is only one application: Wirewheel. However, if you don't request the scope required by the API, then Wirewheel will generate a 401 authorization error.

You can see the scopes granted when you request a bearer token, like this:

{
	'token_type': 'Bearer',
	'expires_in': 3600,
	'access_token': 'xxxxx',
	'scope': 'consent-get-api consent-insert-api subject-profile-manage'
}

There are three scopes:

👍

Import Note: When to URLEncode Scope

When using the API, you send a space-delimited (albeit URL encoded) parameter string as this URL. Something like curl or if your code includes the URL parameters in the URL, like /foo.com&params.... But if you use, for example, JavaScript Fetch or Python requests, you don't put %20 as you use a JSON array to pass those parameters instead of making your string.

&scope=consent-insert-api%20consent-get-api%20subject-profile-manage

👍

Scope Policy

WireWheel recommends that subject-profile-manage is intended for use by server side applications, while consent-insert-api and consent-get-api are intended for either client or server applications. This is to ensure that customer data is sent to WireWheel from servers and not through the browser.

Didn’t find what you were looking for?

Email our team: [email protected]?subject=UPCP