You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
M2M scopes control which Kinde Management API endpoints an application can access. Learn how to configure and request scopes.
sidebar
order
label
8
API Scopes
tableOfContents
maxHeadingLevel
3
relatedArticles
51899f7f-3436-46e0-9a1b-6ecc3603a0df
50284476-2442-414c-af20-01ed3ef4ca4e
601dd8c5-6ee1-474f-ad36-201e65280462
app_context
m
s
api_details
scopes
m
s
application_details
apis
topics
developer-tools
kinde-api
authentication
authorization
sdk
languages
shell
audience
developers
admins
complexity
intermediate
keywords
m2m scopes
machine to machine
jwt scopes
scope claim
api access control
read:users
update:users
read:roles
update:roles
create:organizations
feature flags
environment variables
webhooks
connections
permissions
client credentials
updated
2026-05-02
featured
false
deprecated
false
ai_summary
Scopes in the Kinde Management API are JWT claims that control which endpoints a machine-to-machine (M2M) application can access. Each scope follows a verb:resource pattern — for example, read:users or update:roles — and is assigned when you authorize an M2M application in your Kinde dashboard. By default, a token request returns all scopes enabled for that application, but you can request a subset by passing a scope parameter in the token request body. This is useful for limiting what a specific token can do, reducing your attack surface. The page covers how to add, update, and manage scopes via Settings > Applications, and includes a reference table of the most commonly used scopes grouped by resource type: users, organizations, organization users, roles, permissions, applications, feature flags, environments, connections, and webhooks. The general guidance is to enable only the minimum scopes an application requires.
The Kinde management API uses JSON Web Tokens (JWTs) to authenticate requests. The scope claim in a token controls which API endpoints the application can access.
Example scopes
read:users — read user details
update:users — update user details
read:roles — read roles
update:roles — update roles
Scopes are assigned when you authorize an M2M application and can be updated at any time. Enable only what you need — fewer scopes means a smaller attack surface.
Request a subset of scopes
By default, a token request returns all scopes enabled for that application. To limit the scopes in a token, include a scope parameter in the request body. This is useful when you want tighter control over what a specific token can access.