Scopes & Permissions
This page defines the API scopes available in Gangmates and the route names each scope authorizes. Scopes are evaluated against the route name of the endpoint. If a token lacks a scope that covers the route name, the request is denied with 403 Forbidden.
Rule of least privilege: Assign only the scopes an integration truly needs.
Special scope
all→*(grants access to all routes covered by scopes). Use only for trusted, full‑access service integrations.
Users
Scope
Grants (route names)
Notes
users.read
users.index, users.show
Read‑only.
users.write
users.store, users.update, users.regenerate-email, users.regenerate-unique-id
Standard writes + identifiers regeneration.
users.lifecyle.write
users.destroy, users.activate, users.deactivate, users.suspend, users.unsuspend
Lifecycle actions; treat as sensitive.
users.bulk.templates
users.import-template, users.update-template
Template downloads only.
users.bulk.write
users.bulk-create, users.bulk-update
Sensitive bulk operations (tighter rate limits).
Paystubs
Scope
Grants
paystubs.read
paystubs.index
paystubs.write
paystubs.store
Contribution Settings & Contributions
Scope
Grants
Notes
contributions.settings.read
contribution-settings.show, contribution-settings.index
Read settings.
contributions.settings.write
contribution-settings.update
Update settings.
company.contributions
contributions.company
Company‑level contributions.
users.contributions
contributions.user
User‑level contributions.
Custom Contributions
Scope
Grants
custom.contributions.read
custom-contributions.index, custom-contributions.show
custom.contributions.write
custom-contributions.store, custom-contributions.update, custom-contributions.destroy
Payments & Wallets
Scope
Grants
Notes
process.payments
payments-process
Initiate a payment process. (See checklist below for route name sync.)
wallets.operations.read
wallet.transaction.status, wallet.balance
Read ops. (Consider adding wallet.transactions if required.)
wallets.operations.write
wallets.top-up
Write ops (top‑up). (See checklist for route name sync.)
Invoices
Scope
Grants
invoices.read
invoices.index, invoices.show
invoices.write
invoices.store, invoices.update, invoices.destroy
invoices.review
invoices.approve, invoices.finance-approve
Domains
Scope
Grants
domains.read
domains.index, domains.show
domains.write
domains.store, domains.update, domains.destroy
Third‑party Providers
Scope
Grants
third-party-providers.read
third-party-providers.index, third-party-providers.show
third-party-providers.write
third-party-providers.store, third-party-providers.update, third-party-providers.destroy
Categories & Subcategories
Scope
Grants
categories.read
categories.index, categories.show
categories.write
categories.store, categories.update, categories.destroy
subcategories.read
subcategories.index, subcategories.show
subcategories.write
subcategories.store, subcategories.update, subcategories.destroy
Roles & Permissions
Scope
Grants
roles.read
roles.index, roles.show
roles.write
roles.store, roles.update, roles.destroy
permissions.read
permissions.index, permissions.show
User Types
Scope
Grants
user-types.read
user-types.index, user-types.show
user-types.write
user-types.store, user-types.update, user-types.destroy
Bank Information & Banks
Scope
Grants
Notes
bank-information.read
bank-information.index, bank-information.show
See checklist below.
banks.read
fetch-banks, banks.show
See checklist below.
API Logs
Scope
Grants
api-logs.read
api-logs.index, api-logs.show
Companies
Scope
Grants
companies.read
companies.index, companies.show
companies.write
companies.store, companies.update, companies.destroy, companies.activate, companies.deactivate
Assigning scopes to a token (admin)
In Security → API, when generating or editing a token, choose scopes from the list above.
Prefer combining granular scopes (e.g.,
users.read+paystubs.read) overall.
Last updated