OAuth & API scope reference
Every scope Pact exposes, what it grants, and recommended sets per use case.
Scopes control exactly what a token can do. Both OAuth tokens and API keys are scoped — request the minimum your integration needs. Workspace admins approve least-privilege apps faster, and a leaked low-scope token does less damage.
Scopes follow a resource:action shape: a read: scope lets you list and fetch; a write: scope lets you create and update.
All scopes
| Scope | Grants |
|---|---|
read:accounts | View company accounts |
write:accounts | Create and update company accounts |
read:contacts | View contacts |
write:contacts | Create and update contacts |
read:deals | View deals and pipeline |
write:deals | Create and update deals |
read:activities | View the activity feed |
write:activities | Log activities |
read:workflows | View workflow runs |
Request multiple scopes as a space-separated list, for example read:contacts write:contacts read:deals.
Recommended sets per use case
| Use case | Scopes |
|---|---|
| Read-only dashboard / reporting | read:accounts read:contacts read:deals read:activities |
| Inbound lead capture (forms, web) | write:contacts write:accounts |
| Two-way CRM sync | read:accounts write:accounts read:contacts write:contacts read:deals write:deals |
| Activity logging (calls, emails) | read:contacts write:activities |
| Pipeline automation | read:deals write:deals read:workflows |
Principles
- Least privilege. Start with
read:scopes; addwrite:only where you actually create or update records. - Read does not imply write.
read:contactscannot modify a contact — you needwrite:contactsfor that. - Scopes are checked per request. A call to a write endpoint with a read-only token returns
403 Forbidden, not401.
Changing scopes
To change an OAuth app's scopes, update it in Admin → API & developers — connected workspaces re-consent on the next authorization. For an API key, the scopes are fixed at creation; issue a new key (or rotate) to change them.