Scopes & Permissions

Scopes control what actions your API key can perform. Request only the scopes your application needs.

What are Scopes?

Scopes are permissions that determine which API endpoints your API key can access. When creating an API key, you select which scopes to grant. This follows the principle of least privilege - only grant the permissions your application needs.

Available Scopes

`speakers:read`

Read access to speaker data

Grants access to:

GET /api/speakers - List all speakers
GET /api/speakers/{id} - Get specific speaker details

Use cases:

Display speaker catalogs
Build speaker comparison tools
Create speaker recommendation features

`amplifiers:read`

Read access to amplifier data

Grants access to:

GET /api/amplifiers - List all amplifiers
GET /api/amplifiers/{id} - Get specific amplifier details

Use cases:

Display amplifier catalogs
Build equipment matching tools
Create power calculation features

`dacs:read`

Read access to DAC (Digital-to-Analog Converter) data

Grants access to:

GET /api/dacs - List all DACs
GET /api/dacs/{id} - Get specific DAC details

Use cases:

Display DAC catalogs
Build audio chain planning tools
Create compatibility checking features

`recommendations:read`

Access to intelligent recommendation engine

Grants access to:

POST /api/recommendations - Get personalized equipment recommendations

Use cases:

Build recommendation wizards
Create personalized shopping experiences
Suggest equipment based on user preferences and budget

`search:read`

Cross-category search capabilities

Grants access to:

GET /api/search - Search across all equipment categories

Use cases:

Build unified search interfaces
Create quick-find features
Implement autocomplete functionality

`system:full-access`

System Scope - Full API access (reserved for internal services)

Grants access to:

All API endpoints
All read operations
Administrative functions (when available)

Note: This scope is typically reserved for internal services and administrative tools. Regular applications should request only specific scopes they need.

Scope Combinations

You can request multiple scopes for a single API key. Here are common combinations:

Basic Catalog Access

speakers:read

Ideal for: Simple speaker browsing applications

Complete Equipment Catalog

speakers:read amplifiers:read dacs:read

Ideal for: Full equipment browsing and comparison tools

Recommendation Engine

speakers:read amplifiers:read dacs:read recommendations:read

Ideal for: Personalized shopping assistants and recommendation wizards

Universal Search

search:read speakers:read amplifiers:read dacs:read

Ideal for: Search-focused applications with detailed result pages

Managing Scopes

Creating API Keys with Scopes

Sign in to bassode.com
Go to Account → API Keys
Click "Create New API Key"
Give your key a descriptive name
Select the scopes you need (checkboxes)
Click "Create" and save your credentials

Updating Scopes

You can modify the scopes of an existing API key:

Go to Account → API Keys
Find the API key you want to modify
Click "Edit" or "Manage Scopes"
Check or uncheck scopes as needed
Save changes

Note: Scope changes take effect immediately. Any active requests using the modified API key will have updated permissions.

Scope Verification

When you make a request, the API checks if your API key has the required scope. If not, you'll receive a 403 Forbidden response:

HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "error": "Insufficient permissions",
  "message": "Your API key does not have the required scope: speakers:read",
  "requiredScope": "speakers:read",
  "yourScopes": ["amplifiers:read", "dacs:read"]
}

Best Practices

Request minimum necessary scopes - Only request scopes your application actually uses
Use separate keys for different applications - Create different API keys with different scopes for different use cases
Review scopes regularly - Audit your API keys and remove scopes you no longer need
Document required scopes - Clearly document which scopes your application requires in user-facing documentation
Handle permission errors gracefully - Show helpful error messages when scope permissions are insufficient

Scope Naming Convention

Scopes follow the pattern: resource:action

Resource: The type of data (speakers, amplifiers, dacs, etc.)
Action: What you can do (read, write, delete, etc.)

Currently, all available scopes are read scopes. Future versions may introduce write and delete scopes for managing equipment data.

Checking Your Scopes

You can view the scopes assigned to your API keys in the API Keys dashboard. Each key shows:

Key name and identifier
Assigned scopes (with badges)
Creation date
Last used timestamp
Usage statistics

Example: Handling Scope Errors

JavaScript

async function fetchSpeakers() {
  try {
    const response = await fetch('https://api.bassode.com/api/speakers', {
      headers: {
        'X-Api-Key': API_KEY,
        'X-Api-Secret': API_SECRET
      }
    });

    if (response.status === 403) {
      const error = await response.json();
      console.error(`Missing scope: ${error.requiredScope}`);
      console.error(`Your scopes: ${error.yourScopes.join(', ')}`);
      
      // Show user-friendly message
      alert('Your API key does not have permission to access speakers. ' +
            'Please update your API key scopes in your account settings.');
      return null;
    }

    response.ensureSuccessStatusCode();
    return await response.json();
  } catch (error) {
    console.error('Request failed:', error);
    throw error;
  }
}

Future Scopes

We're planning to introduce additional scopes in future releases:

speakers:write - Create and update speaker data
amplifiers:write - Create and update amplifier data
favorites:read / favorites:write - Manage user favorites
comparisons:read / comparisons:write - Manage equipment comparisons
analytics:read - Access usage analytics and insights

Stay tuned to our changelog for updates on new scopes and features!

Next Steps

Manage Your API Keys → Learn about Authentication →