Both API key and OAuth2 authentication require that you obtain correct authorization scopes to access different API endpoints.
All authenticated endpoints, except
GET /user, require a specific scope for access. In general, permissions follow the
service-name:resource:action pattern, where the main services are
With OAuth2, scopes should be considered as grants. Users can select which scopes they grant access to for the application. The application might need to request new scopes over the lifecycle of the authorization. In general, only ask for the scopes that your application needs, and avoid asking for access to unnessary ones.
GET /user/auth endpoint to see which permissions the user has been granted.
Was this helpful?