# Scopes

Scopes control what actions a token can perform.

[Personal access tokens](/developers/web/guides/personal-access-tokens.md) and [OAuth access tokens](/developers/web/guides/oauth-integrations.md) can only access API endpoints covered by the scopes granted to them. A full reference of available scopes is below.

On top of requesting the correct scope, the user and token must also have the required resources and permissions to perform the action.

Example 1: a personal access token with the scope `data.records:read` and a base added to it would be able to use the "Read records" endpoint on that base, but would not be allowed to use the "Write records" endpoint for that base. Similarly, it would not be able to use the "Read records" endpoint to access other bases that have not been added to the token.

Example 2: a personal access token with the scope `schema.bases:read` and multiple bases added to it would only be able to create fields in bases where the user has Creator permissions (required to customize fields).

For more information on how tokens work, refer to the [Authentication](/developers/web/api/authentication.md) reference.

## Basic scopes

The following scopes are available to all users:

### `data.records:read`

See the data in records

- [List records](/developers/web/api/list-records.md)
- [Get record](/developers/web/api/get-record.md)

### `data.records:write`

Create, edit, and delete records

- [Delete multiple records](/developers/web/api/delete-multiple-records.md)
- [Update multiple records](/developers/web/api/update-multiple-records.md)
- [Create records](/developers/web/api/create-records.md)
- [Sync CSV data](/developers/web/api/post-sync-api-endpoint.md)
- [Delete record](/developers/web/api/delete-record.md)
- [Update record](/developers/web/api/update-record.md)

### `data.recordComments:read`

See comments in records

- [List comments](/developers/web/api/list-comments.md)

### `data.recordComments:write`

Create, edit, and delete record comments

- [Create comment](/developers/web/api/create-comment.md)
- [Delete comment](/developers/web/api/delete-comment.md)
- [Update comment](/developers/web/api/update-comment.md)

### `schema.bases:read`

See the structure of a base, like table names or field types

- [List bases](/developers/web/api/list-bases.md)
- [Get base collaborators](/developers/web/api/get-base-collaborators.md)
- [Get base schema](/developers/web/api/get-base-schema.md)

### `schema.bases:write`

Edit the structure of a base, like adding new fields or tables

- [Create base](/developers/web/api/create-base.md)
- [Create table](/developers/web/api/create-table.md)
- [Update table](/developers/web/api/update-table.md)
- [Create field](/developers/web/api/create-field.md)
- [Update field](/developers/web/api/update-field.md)
- [Sync CSV data](/developers/web/api/post-sync-api-endpoint.md)

### `workspacesAndBases:read`

View metadata about workspaces, bases, and views including collaborators

- [Get base collaborators](/developers/web/api/get-base-collaborators.md)
- [List block installations](/developers/web/api/list-block-installations.md)
- [Get interface](/developers/web/api/get-interface.md)
- [List views](/developers/web/api/list-views.md)
- [Get view metadata](/developers/web/api/get-view-metadata.md)
- [Get workspace collaborators](/developers/web/api/get-workspace-collaborators.md)

### `webhook:manage`

View, create, delete webhooks for a base, as well as fetch webhook payloads.

- [List webhooks](/developers/web/api/list-webhooks.md)
- [Create a webhook](/developers/web/api/create-a-webhook.md)
- [Delete a webhook](/developers/web/api/delete-a-webhook.md)
- [Enable/disable webhook notifications](/developers/web/api/enable-disable-webhook-notifications.md)
- [Refresh a webhook](/developers/web/api/refresh-a-webhook.md)

### `block:manage`

Create new releases and submissions for custom extensions via the Blocks CLI.

### `user.email:read`

See the user's email address

## Enterprise member scopes

The following scopes are only available to users on an enterprise account:

### `enterprise.groups:read`

View information about user groups under the enterprise, their access, and their members

- [Get user group](/developers/web/api/get-user-group.md)

### `workspacesAndBases:write`

Edit metadata of workspaces and bases, including collaborators, invites, views, and extensions

- [Delete block installation](/developers/web/api/delete-block-installation.md)
- [Manage block installation](/developers/web/api/manage-block-installation.md)
- [Add base collaborator](/developers/web/api/add-base-collaborator.md)
- [Delete base collaborator](/developers/web/api/delete-base-collaborator.md)
- [Update collaborator base permission](/developers/web/api/update-collaborator-base-permission.md)
- [Add interface collaborator](/developers/web/api/add-interface-collaborator.md)
- [Delete interface collaborator](/developers/web/api/delete-interface-collaborator.md)
- [Update interface collaborator](/developers/web/api/update-interface-collaborator.md)
- [Delete interface invite](/developers/web/api/delete-interface-invite.md)
- [Delete base invite](/developers/web/api/delete-base-invite.md)
- [Delete view](/developers/web/api/delete-view.md)
- [Add workspace collaborator](/developers/web/api/add-workspace-collaborator.md)
- [Delete workspace collaborator](/developers/web/api/delete-workspace-collaborator.md)
- [Update workspace collaborator](/developers/web/api/update-workspace-collaborator.md)
- [Delete workspace invite](/developers/web/api/delete-workspace-invite.md)
- [Update workspace restrictions](/developers/web/api/update-workspace-restrictions.md)

### `workspacesAndBases.shares:manage`

View, enable, disable and delete share links for bases. Note: Share links can be used to view the data in the base.

- [List shares](/developers/web/api/list-shares.md)
- [Delete share](/developers/web/api/delete-share.md)
- [Manage share](/developers/web/api/manage-share.md)

## Enterprise admin scopes

The following scopes are only available to enterprise admins:

### `enterprise.scim.usersAndGroups:manage`

Manage the organization's users and groups via SCIM APIs, including provisioning and deprovisioning them.

- [List groups](/developers/web/api/list-scim-groups.md)
- [Create group](/developers/web/api/create-scim-group.md)
- [Delete group](/developers/web/api/delete-scim-group.md)
- [Get group](/developers/web/api/get-scim-group.md)
- [Patch group](/developers/web/api/patch-scim-group.md)
- [Put group](/developers/web/api/put-scim-group.md)
- [List users](/developers/web/api/list-scim-users.md)
- [Create user](/developers/web/api/create-scim-user.md)
- [Delete user](/developers/web/api/delete-scim-user.md)
- [Get user](/developers/web/api/get-scim-user.md)
- [Patch user](/developers/web/api/patch-scim-user.md)
- [Put user](/developers/web/api/put-scim-user.md)

### `enterprise.auditLogs:read`

View the organization's audit logs

- [Audit log events](/developers/web/api/audit-log-events.md)
- [List audit log requests](/developers/web/api/list-audit-log-requests.md)
- [Create audit log request](/developers/web/api/create-audit-log-request.md)
- [Get audit log request](/developers/web/api/get-audit-log-request.md)

### `enterprise.changeEvents:read`

View the organization's change events

- [Change events](/developers/web/api/change-events.md)

### `enterprise.exports:manage`

Manage the organization's data exports, including eDiscovery exports

- [List eDiscovery exports](/developers/web/api/list-ediscovery-export.md)
- [Create eDiscovery export](/developers/web/api/create-ediscovery-export.md)
- [Get eDiscovery export](/developers/web/api/get-ediscovery-export.md)

### `enterprise.account:read`

View data about the enterprise account, including workspaces ids, users, groups and email domains

- [Get enterprise](/developers/web/api/get-enterprise.md)

### `enterprise.account:write`

Edit data about the enterprise account, including creating descendant enterprise accounts

- [Create descendant enterprise](/developers/web/api/create-descendant-enterprise.md)

### `enterprise.user:read`

View account information of users under the enterprise, including user id, name, email and bases user has access to

- [Get users by id or email](/developers/web/api/get-users-by-id-or-email.md)
- [Get user by id](/developers/web/api/get-user-by-id.md)

### `enterprise.user:write`

Manage users under the enterprise account, including provisioning, deactivating and deleting users

- [Delete users by email](/developers/web/api/delete-users-by-email.md)
- [Manage user batched](/developers/web/api/manage-user-batched.md)
- [Manage user membership](/developers/web/api/manage-user-membership.md)
- [Grant admin access](/developers/web/api/grant-admin-access.md)
- [Revoke admin access](/developers/web/api/revoke-admin-access.md)
- [Delete user by id](/developers/web/api/delete-user-by-id.md)
- [Manage user](/developers/web/api/manage-user.md)
- [Logout user](/developers/web/api/logout-user.md)
- [Remove user from enterprise](/developers/web/api/remove-user-from-enterprise.md)

### `enterprise.groups:manage`

Manage user groups under the enterprise, including moving them

- [Move user groups](/developers/web/api/move-user-groups.md)

### `workspacesAndBases:manage`

Manage workspaces and bases under the enterprise, including moving them

- [Delete base](/developers/web/api/delete-base.md)
- [Move workspaces](/developers/web/api/move-workspaces.md)
- [Create workspace](/developers/web/api/create-workspace.md)
- [Delete workspace](/developers/web/api/delete-workspace.md)
- [Move base](/developers/web/api/move-base.md)

### `hyperDB.records:read`

Read records in the user's HyperDB tables

- [Read records from a HyperDB table](/developers/web/api/hyperdb-table-read-records.md)

### `hyperDB.records:write`

Write records to the user's HyperDB tables

- [Delete records from a HyperDB table by primary keys](/developers/web/api/hyperdb-delete-records-by-primary-keys.md)
- [Update or insert records from a HyperDB table by primary keys](/developers/web/api/hyperdb-upsert-records-by-primary-keys.md)