Set which scopes are required to call each endpoint. Tokens must carry a matching scope. Endpoints with no scopes are open to any authenticated token.
{{if .Success}}| Service | Endpoint | Required Scopes | |
|---|---|---|---|
| {{.Service}} | {{.Endpoint}} |
{{if .Scopes}}
{{range .Scopes}}{{.}} {{end}}
{{else}}
none
{{end}}
|
|
| No services discovered. Start some services and they will appear here. | |||
Apply scopes to all endpoints matching a pattern. Use * as a suffix wildcard. Leave scopes empty to clear.
Scopes are strings that you define. A call is allowed when at least one of the token's scopes matches one of the endpoint's required scopes.
Use Bulk Set with pattern greeter.* and scope greeter.
Then create a token with scope greeter — it can call any endpoint on that service.
Set scope billing on payments.Payments.Charge using the table above.
Only tokens with the billing scope can call that endpoint. Other payment endpoints remain unaffected.
Set scope admin on sensitive endpoints (e.g. users.Users.Delete).
Create tokens with admin scope for operators and user scope for regular access.
An endpoint can require multiple scopes — the token only needs to match one of them.
The default admin user has scope * which bypasses all checks.
Create a token with * scope for services that need unrestricted access.
| Access method | How auth works |
|---|---|
API (/api/service/endpoint) | Authorization: Bearer <token> header |
MCP tools (/api/mcp/call) | Authorization: Bearer <token> header |
| Agent playground | Uses your logged-in session and its scopes |