Discussions

I’m still uncertain about how to choose the right access token scopes. From what I gathered in the documentation, it seems we can list multiple scopes by passing them as a space-delimited string to the ‘authorization code’ endpoint. Is there a comprehensive list of all available scopes?

Initially, I thought there were just a few options, like exports, core_data, and offline_access (as shown in the first screenshot). However, I’ve noticed other scopes, such as email and profile, are also available (as seen in the second screenshot).

https://developer.candis.io/reference/get-authentication-code

https://developer.candis.io/docs/token-exchange

Also, the scope is not required as a parameter. What privileges does a token have if no scope is passed? From what I’ve observed, it seems I can still use the Invoice and Export endpoints without specifying any scope.

I'd be thankful for some clarification. 🙏