ZetPinDevelopers

Scopes

Scopes are the permissions your app requests. ZetPin has four; ask for only what you need — the user sees each one on the consent screen.

The four scopes

ScopeGrantsUsed by
profile.readBasic profile: name, photo, karma, neighborhood.GET /me
posts.readList and read the user's own posts.GET /posts, GET /posts/:id
posts.writePublish and delete posts on the user's behalf.POST /posts, DELETE /posts/:id
analytics.readPer-post engagement metrics (likes, comments).GET /posts/:id/analytics

Requesting scopes

Pass scopes as a single space-separated scope parameter on the authorize request. Request the minimum set your integration needs — asking for fewer permissions increases consent conversion and limits your blast radius.

http
GET https://api.zetpin.com/oauth/authorize
  ?client_id=zp_app_xxx
  &redirect_uri=https://yourapp.com/callback
  &response_type=code
  &scope=profile.read posts.read posts.write analytics.read
  &state=8f3c9a2e

Granted scopes on the token

The token response echoes the scopes the user actually granted in its scope field. Treat this as the source of truth — don't assume you received everything you requested.

json
{
  "access_token": "zpat_9f8e7d6c...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "zprt_1a2b3c4d...",
  "scope": "profile.read posts.read posts.write"
}

Calling outside your granted scopes

If you call an endpoint your token wasn't granted for, the API responds with 403 insufficient_scope. Re-run the authorization flow requesting the additional scope. See Errors.