Skip to main content
The Grantex scope registry provides standard scope definitions organized by domain. Use these as a starting point when registering agents, or define your own custom scopes following the conventions below.

Standard Scopes

All scopes follow the resource:action[:constraint] format defined in Scopes.

Calendar

ScopeDescriptionConstraint Examples
calendar:readRead calendar events and availabilitysince_2026-01-01, limit_100
calendar:writeCreate and modify calendar eventsmax_duration_8h
calendar:deleteDelete calendar events
calendar:shareShare calendars with other users

Email

ScopeDescriptionConstraint Examples
email:readRead email messages and metadatafolder_inbox, since_2026-01-01
email:sendSend emails on the user’s behalflimit_50 (per day)
email:deleteDelete email messagesfolder_trash
email:draftCreate and manage draft messages

Payments

ScopeDescriptionConstraint Examples
payments:readView payment history and balancessince_2026-01-01
payments:initiateInitiate payments and transfersmax_500, max_5000
payments:approveApprove pending paymentsmax_1000
payments:refundProcess refundsmax_500

Files

ScopeDescriptionConstraint Examples
files:readRead file contents and metadatafolder_documents, limit_1000
files:writeUpload and modify filesmax_size_50mb
files:deleteDelete filesfolder_temp
files:shareShare files with other users

Contacts

ScopeDescriptionConstraint Examples
contacts:readRead contact informationlimit_500
contacts:writeCreate and update contacts
contacts:deleteDelete contacts

Profile

ScopeDescriptionConstraint Examples
profile:readRead user profile information
profile:writeUpdate user profile

Notifications

ScopeDescriptionConstraint Examples
notifications:readRead notification historysince_2026-01-01
notifications:sendSend notifications to the userlimit_100
notifications:manageManage notification preferences

Database

ScopeDescriptionConstraint Examples
database:readQuery database recordslimit_10000
database:writeInsert and update records
database:deleteDelete recordslimit_100
database:schemaRead or modify database schema

API

ScopeDescriptionConstraint Examples
api:readRead API resourceslimit_1000
api:writeCreate and update API resources
api:deleteDelete API resources
api:adminAdministrative API operations

Admin

ScopeDescriptionConstraint Examples
admin:readRead administrative data
admin:writeModify system configuration
admin:usersManage user accounts
admin:auditAccess audit logssince_2026-01-01

Constraint Patterns

Constraints are the optional third segment of a scope string. They narrow the permission granted:
PatternDescriptionExample Scope
max_<amount>Maximum monetary amountpayments:initiate:max_500
folder_<id>Restrict to a specific folderfiles:read:folder_documents
since_<date>Only access data after a dateemail:read:since_2026-01-01
limit_<n>Maximum number of items/operationscontacts:read:limit_500
max_size_<size>Maximum file/payload sizefiles:write:max_size_50mb
max_duration_<dur>Maximum time durationcalendar:write:max_duration_8h
Constraints are validated by the consuming service, not by Grantex itself. Grantex stores and delivers them in the scp claim — your application enforces the constraint logic.

Custom Scope Guidelines

When your application needs scopes beyond the standard registry:

Naming Convention

Follow the resource:action[:constraint] format: 
# Good
inventory:read
orders:create:max_10
reports:generate:since_2026-01-01

# Bad — don't use dots, slashes, or camelCase
inventory.read
orders/create
readInventory

Recommendations

  1. Use lowercase — scope strings should be entirely lowercase with colons as separators
  2. Keep resources singular or use a clear nounorder:read, not reading-orders
  3. Use standard actions — prefer read, write, create, delete, send, approve, manage, admin
  4. Add constraints only when needed — constraints should narrow a broad permission, not replace fine-grained scopes
  5. Document scopes — include descriptions when registering agents so users see clear consent prompts

Registering Custom Scopes

Declare your custom scopes when registering an agent: 
const agent = await grantex.agents.register({
  name: 'inventory-bot',
  scopes: [
    'inventory:read',
    'inventory:write',
    'orders:create:max_10',
  ],
});

Scope Compatibility

Grantex supports wildcard matching for scope checking. A broader scope satisfies a narrower requirement:
Token ScopeRequired ScopeMatch?
files:readfiles:readYes — exact match
files:*files:readYes — wildcard matches any action
files:*files:deleteYes — wildcard matches any action
files:readfiles:writeNo — different action
files:readfiles:*No — specific scope doesn’t satisfy wildcard requirement
payments:initiate:max_500payments:initiateYes — constrained scope satisfies unconstrained
payments:initiatepayments:initiate:max_500No — unconstrained doesn’t imply specific constraint
Wildcard scopes (resource:*) are useful for trusted internal agents that need full access to a resource domain.