Skip to main content
The Simply Tokenized API uses a two-level permission model.

Level 1 — Credential categories

When an API credential is created in the Asset Manager dashboard, it is assigned one or more categories:
CategoryDescription
OFFERINGSRead offering data
ACCOUNTCreate, read, and update accounts
ORDERCreate, read, update, and cancel orders
WALLETRead wallets
Categories define the maximum permissions available to that credential.

Level 2 — Fine-grained scopes

At authentication time, request specific scopes in the scopes array. Only scopes allowed by the credential’s categories are granted.
CategoryAvailable scopes
OFFERINGSoffering.read
ACCOUNTaccount.create, account.read, account.update
WALLETwallet.read
ORDERorder.create, order.read, order.update, order.delete

Endpoint → scope mapping

EndpointRequired scope
GET /_api/offeringsoffering.read
GET /_api/offerings/{offeringId}offering.read
POST /_api/offerings/{offeringId}/ordersorder.create
GET /_api/offerings/{offeringId}/ordersorder.read
GET /_api/offerings/{offeringId}/orders/{orderId}order.read
PATCH /_api/offerings/{offeringId}/orders/{orderId}/cancelorder.update
POST /_api/accountsaccount.create
GET /_api/accounts/{accountId}account.read
PATCH /_api/accounts/{accountId}account.update
GET /_api/accounts/{accountId}/ordersorder.read
GET /_api/accounts/{accountId}/transactionsaccount.read
GET /_api/accounts/{accountId}/benefiting-personsaccount.read
POST /_api/accounts/{accountId}/benefiting-personsaccount.create
GET /_api/accounts/{accountId}/walletswallet.read
GET /_api/accounts/{accountId}/wallets/{walletId}wallet.read
GET /_api/accounts/{accountId}/wallets/balanceswallet.read

Insufficient scope error

If the token lacks a required scope:
{
  "error": {
    "type": "invalid_request_error",
    "code": "insufficient_scope",
    "message": "One or more requested scopes are not allowed for this API credential."
  }
}
HTTP status: 403 Forbidden

Best practices

  • Request the minimum scopes needed for your integration
  • Use separate credentials for read-only vs write operations when possible
  • Re-authenticate with expanded scopes if your integration requirements change