Scopes
Scopes define what level of access an application or token has within ERP.net.
They are included in access tokens and determine which APIs, operations, and data the holder can use.
Scopes are requested by the app and granted by the ERP.net Identity based on the app's configuration and policies.
Standard Scopes
| Scope | Description | Availability |
|---|---|---|
read |
Grants read-only access to ERP.net data through APIs. | All trusted apps |
update |
Grants permission to create, modify, or delete ERP.net data. | All trusted apps |
offline_access |
Allows issuing a refresh token, enabling apps to renew access tokens without user interaction. | All trusted apps |
openid |
Indicates the request is an OpenID Connect authentication request. Required to issue an ID token and identify the authenticated subject. | All trusted apps |
profile |
Grants access to basic user information (such as name, email, user type). | All trusted apps |
sec |
Grants access to security namespace APIs (roles, permissions, etc.). Reserved for ERP.net internal use only. | Internal only |
DomainApi |
Legacy scope. Obsolete and must not be used. | Deprecated |
Note
Note on Identity Scopes
The openid, profile, and offline_access values are protocol-defined scopes, not application-specific permissions. They do not need to be explicitly configured or allowed in a Trusted Application definition. Their availability is determined by the authorization flow being used and the capabilities of the identity system. For example, in the client credentials flow, these scopes are not issued because there is no authenticated user and no interactive session.
Requesting Scopes
Applications request scopes during the authorization or token request using the scope parameter:
POST /id/connect/token
Content-Type: application/x-www-form-urlencoded
client_id=my.trusted.app
client_secret=<secret>
grant_type=client_credentials
scope=read update
The resulting access token will contain the allowed scopes as part of its payload.
Scope Enforcement
- The ERP.net Identity verifies which scopes a Trusted Application is permitted to request.
- If a requested scope is not allowed, the server returns
invalid_scope. - APIs automatically validate scopes on every request.
- If no scopes are explicitly requested, the issued access token will automatically include all scopes defined in the Trusted Application configuration.
Note
Always request the minimal set of scopes required by your application.
This limits exposure and improves overall security.
Example Token Payload (Scopes)
{
"client_id": "my.trusted.app",
"scope": ["read", "update", "offline_access"],
"aud": ["DomainAPI"],
"iss": "https://demo.my.erp.net/id",
"exp": 1762189360
}
Security Considerations
- Only grant
updateto apps that must modify data. - Avoid combining user and system scopes in the same token.
- Regularly audit trusted apps and their allowed scopes.
Learn More
Access Tokens
Learn how scopes are embedded in tokens and used for authorization.Reference Access Tokens (PAT, SAT)
Understand how long-lived tokens also rely on scope definitions.Token Lifetime and Renewal
See how token expiration interacts with scoped access.Trusted Applications and Access Control
Learn how trusted app configurations define which scopes are permitted.