Scopes and Claims

Here you can see all the scopes and claims we support.

PreviousOrganizations NextIdentity JavaScript SDK

Last updated 2 years ago

Scopes and Claims

Here you can see all the scopes and claims we support.

Scopes are permissions that give access to certain claims or APIs, the user can give access to other applications using those scopes. They can be configured using the Vulos Identity dashboard.

Claims can be accessed using the OpenID Connect userinfo endpoint or by using in the .

See for more information.

User Info

GET https://identity.vulos.io/connect/userinfo

Use an access token to get claims appropriate to the scopes of the application that created the access token.

Headers

Name

Type

Description

Authorization*

String

Bearer authentication with the access token obtained using OpenID Connect

{ "sub": "<guid>", ... }

`openid`

This scope can be used to identify the user using the sub claim, which is a per-user unique identifier.

This is a required scope, meaning that if the user decides do use an app, they cannot restrict access to this scope if the app requires it.

// assuming you have done the correct setup and have an UserInfo instance
const userId = userInfo.sub() // there is an alias called id() as well

{
    "sub": "<guid>"
}

`email`

This scope can be used to get the user's email and their email confirmation status.

This is a required scope, meaning that if the user decides do use an app, they cannot restrict access to this scope if the app requires it.

// assuming you have done the correct setup and have an UserInfo instance
if (userInfo.isEmailVerified()) {
    const email = userInfo.email()
    // do something with the email
}

{
    "email": "john.doe@example.com",
    "email_veerified": false
}

`profile`

This scope can be used to get some personal information about the user.

This is a required scope, meaning that if the user decides do use an app, they cannot restrict access to this scope if the app requires it.

// assuming you have done the correct setup and have an UserInfo instance
const profilePicture = userInfo.picture()
const firstName = userInfo.firstName()
const lastName = userInfo.lastName()
const birthDate = userInfo.birthDate()

{
    "picture": "<link to profile picture>",
    "given_name": "John",
    "family_name": "Doe",
    "birthdate": "YYYY-MM-DD"
}

`profile:read`

Provides access to the Profile API.

`address`

This scope can be used to get the user's address.

// assuming you have done the correct setup and have an UserInfo instance
const address = userInfo.address()

{
    "address": "{ ... }"
}

`public`

This scope can be used to get the user's trust level and KYC verification status.

This is a required scope, meaning that if the user decides do use an app, they cannot restrict access to this scope if the app requires it.

// assuming you have done the correct setup and have an UserInfo instance
if (userInfo.isKycVerified()) {
    // the user has done a successful KYC verification
}
if (userInfo.trustLevel() >= 2) {
    // the user has a high trust level
}

{
    "trust_level": 1,
    "kyc_verified": false
}

`private`

This scope can be used to get the user's digital ID and national ID.

// assuming you have done the correct setup and have an UserInfo instance
const nationalId = userInfo.nationalId()

{
    "national_id": "<national id>",
    "digital_id": "<digital id>"
}

`wallet`

This scope can be used to get the user's Ethereum and Velas wallet addresses.

// assuming you have done the correct setup and have an UserInfo instance
const wallets = userInfo.wallets()
for (const walletAddress of wallets) {
    // do something with the user's wallet address
}

{
    "wallet_address": [
        "<ethereum wallet address>", 
        "<ethereum wallet address 2>"
    ]
}

// ... or

{
    "wallet_address": "<ethereum wallet address>"
}

`organization`

The organization scope group is divided in 3 scopes:

organization:read which provides the claims organization:name and organization:id for all the organizations that the user has a membership for;
organization:roles which provides the organization:role claim for the roles that the user has in the application's associated organization;
organization:manage which provides access to the Organization API;

`organization:read`

// assuming you have done the correct setup and have an UserInfo instance
if (userInfo.isInOrganizationWithName("Example Organization")) {
    // the user is in the organization "Example Organization"
}

if (userInfo.isInOrganizationWithId(5)) {
    // the user is in the organization that has the id 5
}

{
    "organization:id": [2, 5]
    "organization:name": ["Test Organization", "Example Organization"]
}

// ... or

{
    "organization:id": 5
    "organization:name": "Example Organization"
}

`organization:roles`

This is a required scope, meaning that if the user decides do use an app, they cannot restrict access to this scope if the app requires it.

// assuming you have done the correct setup and have an UserInfo instance
if (userInfo.hasRole("SuperAdmin")) {
    // the user has the SuperAdmin role in the app's associated organization
}

{
    "organization:role": ["SuperAdmin", "Example"]
}

// .. or

{
    "organization:role": "SuperAdmin"
}

`organization:manage`

This scope doesn't provide any claims, it just provides access to the following API:

`kyc`

The kyc scope group is divided in 2 scopes:

kyc:read which gives access to the KYC status and list APIs;
kyc:write which gives access to the KYC create and upload APIs;

`event`

The event scope group is divided in 3 scopes:

event:create which lets the application create event sessions;
event:read which lets the application read/subscribe to event sessions;
event:write which lets the application push events to a session;

PreviousOrganizations NextIdentity JavaScript SDK

Last updated 2 years ago

Scopes are permissions that give access to certain claims or APIs, the user can give access to other applications using those scopes. They can be configured using the Vulos Identity dashboard.

Claims can be accessed using the OpenID Connect userinfo endpoint or by using in the .

See for more information.

User Info

GET https://identity.vulos.io/connect/userinfo

Use an access token to get claims appropriate to the scopes of the application that created the access token.

Headers

Name

Type

Description

Authorization*

String

Bearer authentication with the access token obtained using OpenID Connect

{ "sub": "<guid>", ... }

`openid`

This scope can be used to identify the user using the sub claim, which is a per-user unique identifier.

This is a required scope, meaning that if the user decides do use an app, they cannot restrict access to this scope if the app requires it.

// assuming you have done the correct setup and have an UserInfo instance
const userId = userInfo.sub() // there is an alias called id() as well

{
    "sub": "<guid>"
}

`email`

This scope can be used to get the user's email and their email confirmation status.

This is a required scope, meaning that if the user decides do use an app, they cannot restrict access to this scope if the app requires it.

// assuming you have done the correct setup and have an UserInfo instance
if (userInfo.isEmailVerified()) {
    const email = userInfo.email()
    // do something with the email
}

{
    "email": "john.doe@example.com",
    "email_veerified": false
}

`profile`

This scope can be used to get some personal information about the user.

This is a required scope, meaning that if the user decides do use an app, they cannot restrict access to this scope if the app requires it.

// assuming you have done the correct setup and have an UserInfo instance
const profilePicture = userInfo.picture()
const firstName = userInfo.firstName()
const lastName = userInfo.lastName()
const birthDate = userInfo.birthDate()

{
    "picture": "<link to profile picture>",
    "given_name": "John",
    "family_name": "Doe",
    "birthdate": "YYYY-MM-DD"
}

`profile:read`

Provides access to the Profile API.

`address`

This scope can be used to get the user's address.

// assuming you have done the correct setup and have an UserInfo instance
const address = userInfo.address()

{
    "address": "{ ... }"
}

`public`

This scope can be used to get the user's trust level and KYC verification status.

This is a required scope, meaning that if the user decides do use an app, they cannot restrict access to this scope if the app requires it.

// assuming you have done the correct setup and have an UserInfo instance
if (userInfo.isKycVerified()) {
    // the user has done a successful KYC verification
}
if (userInfo.trustLevel() >= 2) {
    // the user has a high trust level
}

{
    "trust_level": 1,
    "kyc_verified": false
}

`private`

This scope can be used to get the user's digital ID and national ID.

// assuming you have done the correct setup and have an UserInfo instance
const nationalId = userInfo.nationalId()

{
    "national_id": "<national id>",
    "digital_id": "<digital id>"
}

`wallet`

This scope can be used to get the user's Ethereum and Velas wallet addresses.

// assuming you have done the correct setup and have an UserInfo instance
const wallets = userInfo.wallets()
for (const walletAddress of wallets) {
    // do something with the user's wallet address
}

{
    "wallet_address": [
        "<ethereum wallet address>", 
        "<ethereum wallet address 2>"
    ]
}

// ... or

{
    "wallet_address": "<ethereum wallet address>"
}

`organization`

The organization scope group is divided in 3 scopes:

organization:read which provides the claims organization:name and organization:id for all the organizations that the user has a membership for;
organization:roles which provides the organization:role claim for the roles that the user has in the application's associated organization;
organization:manage which provides access to the Organization API;

`organization:read`

// assuming you have done the correct setup and have an UserInfo instance
if (userInfo.isInOrganizationWithName("Example Organization")) {
    // the user is in the organization "Example Organization"
}

if (userInfo.isInOrganizationWithId(5)) {
    // the user is in the organization that has the id 5
}

{
    "organization:id": [2, 5]
    "organization:name": ["Test Organization", "Example Organization"]
}

// ... or

{
    "organization:id": 5
    "organization:name": "Example Organization"
}

`organization:roles`

This is a required scope, meaning that if the user decides do use an app, they cannot restrict access to this scope if the app requires it.

// assuming you have done the correct setup and have an UserInfo instance
if (userInfo.hasRole("SuperAdmin")) {
    // the user has the SuperAdmin role in the app's associated organization
}

{
    "organization:role": ["SuperAdmin", "Example"]
}

// .. or

{
    "organization:role": "SuperAdmin"
}

`organization:manage`

This scope doesn't provide any claims, it just provides access to the following API:

Organization API

`kyc`

The kyc scope group is divided in 2 scopes:

kyc:read which gives access to the KYC status and list APIs;
kyc:write which gives access to the KYC create and upload APIs;

KYC API

`event`

The event scope group is divided in 3 scopes:

event:create which lets the application create event sessions;
event:read which lets the application read/subscribe to event sessions;
event:write which lets the application push events to a session;