BeeL
Get StartedVeriFactuStripeAPI Reference

Scopes

Available permission scopes for API Keys and OAuth2 tokens


Scopes control which API endpoints your token can access. They apply to both API Keys and OAuth2 tokens. Session cookie authentication (browser dashboard) has full access and is not subject to scopes.

Available Scopes

Invoices

ScopeAccess
invoices:readList invoices, get invoice details, generate PDF, preview PDF, download bulk PDF, export Excel, list recurring invoices, get recurring details, preview recurring
invoices:writeCreate, update, delete, duplicate invoices. Issue, void, mark paid/sent, schedule. Send emails. Create/manage recurring invoices

Customers

ScopeAccess
customers:readList customers, get customer details, download CSV template
customers:writeCreate, update, deactivate customers. Bulk create, bulk deactivate, CSV import, Holded import

Products

ScopeAccess
products:readList products, get product details, search products
products:writeCreate, update, delete products. Bulk create, bulk delete

Configuration

ScopeAccess
configuration:readRead VeriFactu configuration, invoice customization options
configuration:writeUpdate VeriFactu configuration, tax configuration, language preferences

Billing Series

ScopeAccess
series:readList billing series
series:writeCreate, update, delete series. Set default series

Taxes

ScopeAccess
taxes:readRead tax configuration, list available tax types

NIF Validation

ScopeAccess
nif:validateValidate Spanish NIFs against AEAT

Business Profiles

ScopeAccess
business_profiles:readList companies, get company details, download/check representation status, list company API keys
business_profiles:writeCreate, update, delete companies. Generate/submit/cancel representations. Create/revoke company API keys

Scope Behavior

  • API Keys: Scopes are assigned when creating the key. Cannot be changed after creation.
  • OAuth2 tokens: Scopes are requested during authorization. The user consents to the requested scopes.
  • Session cookies: Full access, scopes are not enforced (dashboard users).

How Scopes Are Enforced

Each API endpoint requires one or more scopes. The required scope is documented in the API Reference for each operation.

If your token is missing a required scope:

{
  "success": false,
  "error": {
    "code": "FORBIDDEN",
    "message": "No tienes permiso para realizar esta accion"
  }
}

Requesting Scopes

API Keys

Select scopes when creating the key in Settings > API Keys.

OAuth2

Include the scope parameter in the authorization URL:

scope=invoices:read customers:read products:read

Request only what your application needs. Users see the requested scopes during consent.