Scopes Reference

Scopes control what a Service Account token (ksh_*) can access. They follow the pattern <action>:<module>.

Available Scopes

Scope	Access
`read:customers`	List and view customers
`write:customers`	Create, update, and delete customers
`read:instances`	List and view instances
`write:instances`	Create, update, and delete instances
`read:licenses`	List and view licenses
`write:licenses`	Create, update, and delete licenses
`read:entitlements`	List and view entitlements
`write:entitlements`	Create, update, and delete entitlements
`read:feature_flags`	List, view, and evaluate feature flags
`write:feature_flags`	Create, update, and delete feature flags
`read:deployment_zones`	List and view deployment zones
`write:deployment_zones`	Create, update, delete zones, and deploy releases
`read:releases`	List and view releases
`write:releases`	Create and delete releases
`read:users`	List and view users
`write:users`	Manage users
`read:organizations`	View organization details
`write:organizations`	Update organization settings
`read:tokens`	List service accounts and tokens
`write:tokens`	Create and delete service accounts and tokens
`read:webhooks`	List webhook endpoints and history
`write:webhooks`	Create, update, and delete webhook endpoints

Scope	Description
`read:*`	Read access to all modules
`write:*`	Full access to all modules (implies `read:*`)

When creating a token, you can select a plan to get a pre-defined set of scopes, or select individual scopes manually.

Plan	Included Scopes	Use Case
Control Plan	`write:instances` `write:licenses` `write:customers` `write:deployment_zones` `write:releases` `write:users` `write:organizations` `write:tokens`	Full write access to all management resources — for administrative tools, provisioning pipelines, and internal services
Data Plan	`read:feature_flags` `write:entitlements`	Runtime data plane access — for your product's backend to read feature flags and report entitlement usage