Extension Scopes
Extensions operate within a strict scope ceiling. Only scopes marked extensionAllowed may appear in an extension manifest. Human, admin, and management scopes are never grantable to extensions.
How scopes flow
Scopes are declared in the extension manifest, snapshotted into a published version, and issued to an install. At each stage Throttle enforces the extensionAllowed ceiling:
- Manifest declaration. You list the scopes your extension needs in
POST /api/v1/extensionsorPATCH /api/v1/extensions/:id.validateScopesForExtensionruns immediately — any scope withextensionAllowed: false(or an unknown scope) returns400 invalid_scope. - Version snapshot. When you publish a version, the manifest scopes are frozen into the version record. Subsequent manifest edits do not change the published version.
- Install.
POST /api/v1/extensions/:id/installpins the install to a version. The install's API key is granted exactly the version's scopes — no more, no less. - Iframe JWT. The launch-token endpoint mints a JWT whose
scopesclaim is the pinned version's scope list. Everybridge.api.*call is authorized against those scopes.
// Extension manifest with scopes
{
"name": "Order Inspector",
"iframeUrl": "https://extensions.example.com/orders",
"webhookUrl": "https://extensions.example.com/webhooks",
"eventSubscriptions": ["order.created", "order.updated", "payment.captured"],
"scopes": [
"orders:read", // required for order.* events + GET /api/v1/orders
"payments:read", // required for payment.* events + GET /api/v1/payments
"customers:read" // optional — allows reading customer records
]
}// The extension's JWT token carries the scopes from the pinned version.
// Calling a route that requires a scope not in that list returns:
// HTTP 403 { error: { code: "insufficient_scopes", ... } }
// Good — orders:read is in the manifest scopes:
const orders = await bridge.api.get('/api/v1/orders?limit=10');
// Bad — payment_refunds:write is NOT extensionAllowed; the manifest
// would have been rejected at registration time:
// await bridge.api.post('/api/v1/payments/pay_xxx/refund', { amount: 500 });
// → 400 invalid_scope at extension create/update timeScope implication rules
The same implication rules that apply to API keys apply to extension scopes:
*covers all scopes — but*is neverextensionAllowedand cannot appear in an extension manifest.resource:writeimpliesresource:readon the same resource. For example,orders:writecoversorders:read.- Read never implies write.
orders:readdoes NOT grantorders:write. - No cross-resource implication.
orders:readdoes not grantcustomers:read.
Management scopes for extensions
The management scopes (extensions:read, extensions:write, extensions:install) control who can author and install extensions. These are Taxonomy B (human) scopes — they are not extensionAllowed. Extensions cannot manage other extensions.
Management scope summary
extensions:read— view the extension catalog and installation list. Required forGET /api/v1/extensions,GET /api/v1/extensions/:id,GET /api/v1/extensions/:id/versions,GET /api/v1/installations,GET /api/v1/installations/:id/deliveries.extensions:write— author, version, and publish extensions. Required forPOST /api/v1/extensions,PATCH /api/v1/extensions/:id,POST /api/v1/extensions/:id/versions,POST /api/v1/extensions/:id/versions/:vid/publish,POST /api/v1/extensions/:id/lifecycle(draft/private).extensions:install— install, configure, and manage installs. Required forPOST /api/v1/extensions/:id/install,POST /api/v1/extensions/:id/uninstall,PATCH /api/v1/installations/:id/config,POST /api/v1/installations/:id/upgrade,POST /api/v1/installations/:id/launch-token,POST /api/v1/installations/:id/deliveries/:deliveryId/replay,POST /api/v1/installations/:id/test.
extensions:install scope is a custom action — it is independent of extensions:write and extensions:read. Granting only extensions:install to a key lets it manage installations without being able to author or list the catalog.Team RBAC for extension management
Dashboard (Clerk) callers are additionally gated by RBAC permissions, not just scopes. The relevant RBAC keys are:
application:extensions:read— all app roles (admin | developer | finance | viewer).application:extensions:write— appadminanddeveloper.application:extensions:install— appadminanddeveloper.application:extensions:admin— required to promote an extension topublicor to delete a catalog entry. Onlyadminrole.
Workspace owners and workspace admins have implicit admin role on every application. See the Permissions reference for the full role-capability matrix.
Extension-allowed scope catalog
The following scopes may appear in an extension manifest. They are all extensionAllowed: true and sourced directly from the live scope registry — they update automatically when new scopes are added.
Applications
applications:read— View applicationsapplications:write— Manage applications
Carts
carts:read— View cartscarts:write— Manage cartscart_items:read— View line itemscart_items:write— Manage line itemscheckout_sessions:read— View checkout sessionscheckout_sessions:write— Manage checkout sessions
Connectors
connectors:read— View connectorsconnectors:write— Manage connectorsconnector_activations:write— Activate/deactivate connectors
Customers
customers:read— View customerscustomers:write— Manage customerscustomer_pii:read— View customer PII (sensitive)customer_addresses:read— View addressescustomer_addresses:write— Manage addressescustomer_payment_methods:read— View stored cards (sensitive)customer_payment_methods:write— Manage stored cards (sensitive)
Discounts
discounts:read— View discountsdiscounts:write— Manage discounts
Fulfillments
fulfillments:read— View fulfillmentsfulfillments:write— Manage fulfillmentsfulfillment_shipments:write— Update shipmentsfulfillment_digital:read— View digital deliveryfulfillment_digital:write— Manage digital deliveryfulfillment_access:write— Manage access credentialsfulfillment_services:write— Manage service fulfillment
Invoices / AR
invoices:read— View invoices & aginginvoice_payments:write— Mark invoices paid (sensitive)invoice_dunning:write— Send dunning notices
Orders
orders:read— View ordersorders:write— Manage ordersorder_cancellations:write— Cancel ordersorder_returns:write— Process returns
Payments
payments:read— View paymentspayments:write— Create paymentspayment_authorizations:write— Authorize paymentspayment_captures:write— Capture paymentspayment_refunds:read— View refunds (sensitive)payment_refunds:write— Refund payments (sensitive)payment_voids:write— Void payments (sensitive)payment_disputes:read— View disputes (sensitive)payment_disputes:write— Handle disputes (sensitive)payment_methods:read— View payment methods (sensitive)payment_methods:write— Tokenize payment methods (sensitive)
Shipping & Tax
shipping_tax:read— View shipping/tax configshipping_tax:write— Edit shipping/tax configshipping_tax_publications:write— Publish shipping/tax configshipping_quotes:write— Request shipping quotestax_calculations:write— Calculate taxshipping_tax_quote_tokens:read— View quote tokensshipping_tax_quote_tokens:write— Manage quote tokensshipping_tax_snapshots:write— Accept external snapshots
Subscriptions
subscriptions:read— View subscriptionssubscriptions:write— Manage subscriptionssubscription_pauses:write— Pause/resume subscriptionssubscription_cancellations:write— Cancel subscriptions
Webhooks & Events
webhooks:read— View webhookswebhooks:write— Manage webhookswebhook_deliveries:read— View deliverieswebhook_deliveries:write— Retry deliveriesevents:read— View eventsaudit_logs:read— View audit log
Workspace
merchant:read— View workspace settingsmerchant:write— Edit workspace settingsembed_config:read— View embed configembed_config:write— Edit embed configbranding:write— Upload branding assets
GET /api/v1/scopes.