Skip to main content

Principle of Least Privilege

The Principle of Least Privilege refers to an information security concept where only the minimum necessary rights should be assigned to a subject that requests access to a resource.

Granting permissions to an access token beyond the scope of the necessary rights of an action can allow an attacker who manages to steal the token to obtain or change information in unwanted ways. Therefore, careful delegation of access rights can limit attackers to manipulate data.

Our APIs adopt the scopes system, the application owner chooses which scopes are needed for the app to run properly and the users will be prompted to allow the requested permissions. Every resource has its own scope that could be either read-only or full write access, make sure to require the least amount of scopes possible for the correct functioning of your app, selecting as few permissions as possible.


We know it's easier to just require all the possible scopes in write access and not have to think about what's the lowest configuration of privileges that can be asked to the user, but we kindly ask you not to do that, in most of the cases in fact only 3-4 scopes are actually needed to use an application.