Scopes

Secure API Design: Tokens, Roles, and Scopes APIs stay secure when they rely on tokens rather than user names. A token proves who is calling the API and what they are allowed to do. Roles group users or services by duty, while scopes limit each call to a specific action or resource. Tokens are issued by an authorization server after proper checks. Each API request carries the token, and the API validates it, checks its issuer (iss), audience (aud), and expiration (exp). The endpoint then confirms required scopes and, where needed, a user or service role. ...