commit 858393baf466f4050b46d59e9d3b8888fd3ebade parent 007d9041fccf2bbdb436b4b986c65ea4f9fb3729 Author: Martin Schanzenbach <schanzen@gnunet.org> Date: Tue, 17 Jun 2025 16:06:42 +0200 v42 scope handling in merchant Diffstat:
| M | core/api-merchant.rst | | | 19 | ++++++++++++++++++- |
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/core/api-merchant.rst b/core/api-merchant.rst @@ -118,6 +118,23 @@ authentication. A login token is valid only for a limited period of time and can be used by clients to avoid storing the long-term login secrets from an authentication method. +Scopes +^^^^^^ + +Access tokens can be requested with a (limiting) scope. Available scopes are: + +* ``readonly``: Access to APIs using ``GET`` requests is always allowed. +* ``write`` (*deprecated*): See ``all``. +* ``all``: General access to all APIs and endpoints. +* ``order-simple`` (**v42**): Allows the creation of orders and checking of payment status. +* ``order-pos`` (**v42**): Same as ``order-simple`` and allows inventory locking. +* ``order-mgmt`` (**v42**): Same as ``order-simple`` and also allows refunding. +* ``order-full`` (**v42**): Same ``order-pos`` and ``order-mgmt`` combined. + +Since **v42** the scope may be suffixed with ``:refreshable``, e.g. ``order-pos:refreshable``. +This allows the token to be refresh at the token endpoint. +This behaviour replaces the deprecated ``refreshable`` field in the `LoginTokenRequest`. + ----------------- Configuration API ----------------- @@ -1192,7 +1209,7 @@ Setting up instances duration?: RelativeTime; // Can this token be refreshed? - // Defaults to false. + // Defaults to false. DEPRECATED since v42 refreshable?: boolean; }