Available permission scopes for API Keys and OAuth2 tokens
Scopes control which API endpoints your token can access. They apply to both API Keys and OAuth2 tokens . Session cookie authentication (browser dashboard) has full access and is not subject to scopes.
Scope Access invoices:readList invoices, get invoice details, generate PDF, preview PDF, download bulk PDF, export Excel, list recurring invoices, get recurring details, preview recurring invoices:writeCreate, update, delete, duplicate invoices. Issue, void, mark paid/sent, schedule. Send emails. Create/manage recurring invoices
Scope Access customers:readList customers, get customer details, download CSV template customers:writeCreate, update, deactivate customers. Bulk create, bulk deactivate, CSV import, Holded import
Scope Access products:readList products, get product details, search products products:writeCreate, update, delete products. Bulk create, bulk delete
Scope Access configuration:readRead VeriFactu configuration, invoice customization options configuration:writeUpdate VeriFactu configuration, tax configuration, language preferences
Scope Access series:readList billing series series:writeCreate, update, delete series. Set default series
Scope Access taxes:readRead tax configuration, list available tax types
Scope Access nif:validateValidate Spanish NIFs against AEAT
Scope Access business_profiles:readList companies, get company details, download/check representation status, list company API keys business_profiles:writeCreate, update, delete companies. Generate/submit/cancel representations. Create/revoke company API keys
API Keys : Scopes are assigned when creating the key. Cannot be changed after creation.
OAuth2 tokens : Scopes are requested during authorization. The user consents to the requested scopes.
Session cookies : Full access, scopes are not enforced (dashboard users).
Each API endpoint requires one or more scopes. The required scope is documented in the API Reference for each operation.
If your token is missing a required scope:
{
"success" : false ,
"error" : {
"code" : "FORBIDDEN" ,
"message" : "No tienes permiso para realizar esta accion"
}
}
Select scopes when creating the key in Settings > API Keys .
Include the scope parameter in the authorization URL:
scope=invoices:read customers:read products:read
Request only what your application needs. Users see the requested scopes during consent.