More granular OAuth scope for cards

[stevebissett]

The scoping on cards is currently a single scope for all card functionality.

There are essentially 2 - 3 smaller scopes:

• Retrieve (GET) - Retrieve cards, code functions, logs of executions with transaction info, etc.
• Retrieve sensitive info (GET) - Retrieve card info with full card numbers, expiry, CVV, etc.
• Updating of code (POST) - Updating function code, publishing code, changing variables.

For security purposes, it would be useful to have more granular scoping so that read-only access can be differentiated from publishing new code etc.

(Currently, I am using the cards API only to retrieve execution logs and hence being able to update and publish code is an unnecessary security risk).

[neilwithers]

Hi @stevebissett

Thanks for the suggestion. We'll have a look at what we can do and get back to you asap.

[neilwithers]

Hi @stevebissett

We have added this to our backlog. We will chat to you when we have an update.

[devinpearson]

An additional scope for creating cards would also be great.

I would really like to see more granular scopes to prevent systems from having too much access

card:full_access
card:full_read

card:cards // handle listing of cards and creating virtual cards

• card:cards:read
• card:cards:create
• card:cards:read_sensitive // maybe for reading the cvv number and details on created virtual cards.
  card:code
• card:code:read
• card:code:write
  card:env_vars
• card:env_vars:read
• card:env_vars:write
  card:logs
• card:logs:read
  card:virtual
• card:virtual:create
• card:virtual:read
  card:control // for toggling card and future features
• card:control:read
• card:control:write