Level 1 — Credential categories
When an API credential is created in the Asset Manager dashboard, it is assigned one or more categories:| Category | Description |
|---|---|
OFFERINGS | Read offering data |
ACCOUNT | Create, read, and update accounts |
ORDER | Create, read, update, and cancel orders |
WALLET | Read wallets |
Level 2 — Fine-grained scopes
At authentication time, request specific scopes in thescopes array. Only scopes allowed by the credential’s categories are granted.
| Category | Available scopes |
|---|---|
OFFERINGS | offering.read |
ACCOUNT | account.create, account.read, account.update |
WALLET | wallet.read |
ORDER | order.create, order.read, order.update, order.delete |
Endpoint → scope mapping
| Endpoint | Required scope |
|---|---|
GET /_api/offerings | offering.read |
GET /_api/offerings/{offeringId} | offering.read |
POST /_api/offerings/{offeringId}/orders | order.create |
GET /_api/offerings/{offeringId}/orders | order.read |
GET /_api/offerings/{offeringId}/orders/{orderId} | order.read |
PATCH /_api/offerings/{offeringId}/orders/{orderId}/cancel | order.update |
POST /_api/accounts | account.create |
GET /_api/accounts/{accountId} | account.read |
PATCH /_api/accounts/{accountId} | account.update |
GET /_api/accounts/{accountId}/orders | order.read |
GET /_api/accounts/{accountId}/transactions | account.read |
GET /_api/accounts/{accountId}/benefiting-persons | account.read |
POST /_api/accounts/{accountId}/benefiting-persons | account.create |
GET /_api/accounts/{accountId}/wallets | wallet.read |
GET /_api/accounts/{accountId}/wallets/{walletId} | wallet.read |
GET /_api/accounts/{accountId}/wallets/balances | wallet.read |
Insufficient scope error
If the token lacks a required scope:Best practices
- Request the minimum scopes needed for your integration
- Use separate credentials for read-only vs write operations when possible
- Re-authenticate with expanded scopes if your integration requirements change

