Scopes
Scopes are the permissions your app requests. ZetPin has four; ask for only what you need — the user sees each one on the consent screen.
The four scopes
| Scope | Grants | Used by |
|---|---|---|
profile.read | Basic profile: name, photo, karma, neighborhood. | GET /me |
posts.read | List and read the user's own posts. | GET /posts, GET /posts/:id |
posts.write | Publish and delete posts on the user's behalf. | POST /posts, DELETE /posts/:id |
analytics.read | Per-post engagement metrics (likes, comments). | GET /posts/:id/analytics |
Requesting scopes
Pass scopes as a single space-separated scope parameter on the authorize request. Request the minimum set your integration needs — asking for fewer permissions increases consent conversion and limits your blast radius.
http
GET https://api.zetpin.com/oauth/authorize
?client_id=zp_app_xxx
&redirect_uri=https://yourapp.com/callback
&response_type=code
&scope=profile.read posts.read posts.write analytics.read
&state=8f3c9a2eGranted scopes on the token
The token response echoes the scopes the user actually granted in its scope field. Treat this as the source of truth — don't assume you received everything you requested.
json
{
"access_token": "zpat_9f8e7d6c...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "zprt_1a2b3c4d...",
"scope": "profile.read posts.read posts.write"
}Calling outside your granted scopes
If you call an endpoint your token wasn't granted for, the API responds with403 insufficient_scope. Re-run the authorization flow requesting the additional scope. See Errors.