Permissions

Permissions in the Investment API are modelled as OAuth 2.0 scopes.

We consider related endpoints in the Investment API to be a {topic} and each individual scope grants you permission to perform a set of {action}s in that "topic". The available {topic}s and {action}s are described below.

Scopes are specified as string IDs, in the format {topic}:{action}.

If you need a particular scope to access a group of functionality in the Investment API, you must specify them when requesting the OAuth 2.0 access token.

It is strongly recommended to limit the number of permissions per access token to the absolute minimum necessary.

Topics

The following {topic}s are available:

accounts: Accounts and account groups.

checks: User checks like KYC, POR, INSTRUMENT_FIT, and COMPLIANCE.

fees: Fee collections.
instruments: Instruments.

mandates: Mandates.

orders: Orders.

payments: Pay-ins and withdrawal operations.

payments: Withdrawal operations.
portfolios: Portfolios.
positions: Positions.
reference_accounts: Reference accounts.
reinvestments: Re-investments.
reports: Reports.
taxes: Tax residencies.

users: (End) users.

valuations: Account valuations.
webhooks: Webhooks.

Actions

There are two {action}s available:

admin: Allows read-and-write access to the resources covered by the {topic}. In most (but not all!) cases, writing includes create, update and delete operations.
read: Allows read-only access to the resources covered by the {topic}.

Only those {topic} × {action} combinations are available, which cover actual API endpoints or operations.
{topic}:admin only includes update and/or delete if any corresponding API endpoints and operations are available.

A full list of available OAuth 2.0 scopes is available for you to inspect.