2 min read
Scopes name capabilities
Each partner capability maps to a scope — reading applications, writing applications, reading decisions, provisioning payments, running identity checks. You name the scopes you want on the token request, and the minted token can only exercise those. A token that never asked for a payments scope simply cannot provision a payment link, so a leaked token is bounded by what it was allowed to do.
Why least privilege
The cost of over-scoping is entirely downside: a credential that can do everything is a credential that, if compromised, can do everything. Scope narrowly and a leaked secret is a contained incident, not a breach. This pairs with per-workload projects — run a separate project per integration so each has its own client, its own scopes and its own rate-limit bucket.
Rotating without downtime
Because scopes live on the credential, you can stand up a second client with the same scopes, cut traffic over, and retire the first — see rotating credentials. Never widen a live credential's scopes just to unblock a one-off task; mint a purpose-scoped credential instead and discard it after.
Frequently asked questions
What happens if I call an endpoint outside my scopes?
You receive an authorization error (a 403-class response) explaining that the token lacks the required scope. The request never reaches the underlying capability, so no partial action occurs.
Can I add scopes to an existing token?
No — scopes are fixed at mint time. Request the wider scope set on your next token request, or better, mint a separate purpose-scoped credential so your everyday token stays narrow.
Related reading

OAuth 2.0 client credentials for partner/v1
Partner API calls authenticate with the OAuth 2.0 client-credentials grant. You exchange a client ID and…
Read →
The access-token lifecycle
A partner access token is minted, cached, reused until just before expiry, then re-minted. There is no…
Read →
The partner API, at a glance
The /partner/v1 ring is the token-gated integration API — take applications, read decisions, provision…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.