How to get User Scopes

Hello :slight_smile:

right now I’m following the create your own App guide(Creating Your Own App | Speckle Docs) and I need to somehow access the scopes of the currently logged in user. I think that my Graphqlquery is correct but I’m missing the requiered rights to acess a users ApiTokens in my app.
This is the query that I am trying to execute

  user(id: "some-id") {
    apiTokens {

I get all the data needed in my GetUser function but apiTokens is always “null”.
And this is how I fetch data (basically the code from the guide)

 export async function speckleFetch(query: string) {
  let token = localStorage.getItem(TOKEN)
  if (token)
    try {
      var res = await fetch(`${SERVER_URL}/graphql`, {
        method: "POST",
        headers: {
          Authorization: "Bearer " + token,
          "Content-Type": "application/json"
        body: JSON.stringify({
          query: query
      return await res.json()
    } catch (err) {
      console.error("API call failed", err)
  else return Promise.reject("You are not logged in (token does not exist)")

Question is: How can I access the scopes of my users? (My user has a personal access token with all scopes activated)

1 Like

Hi @mgerhardt! Welcome to the community!

It’s nice to see somebody is reading the guide I wrote! :smiley:

Not sure if I understand correctly the question but I hope this helps. In order to “talk” to a speckle server you have 2 different strategies:

  • Using an ApiToken, which identifies anything your app does as done by your account.
  • Using an App which allows for users to log-in so any action will be taken on their behalf

Both of them will have specific scopes assigned on creation by you and those do not change. In the case of the app, all user’s authenticated through the app will have the same scopes inherited from the App, regardless of their role.

The query that you showed will fetch a user’s created tokens. Not the DB expert but I’m fairly certain nobody else can see your tokens but yourself (as they are used to authenticate as you in the app). And my guess is it comes back empty because you haven’t created one yet (not necessary for the app guide).

I’m fairly certain there is no way to get the scopes of a given app through our api unless you’re the one that created it. You can access them under createdApps. You can also check what apps a random user has accepted using authorizedApps; though in this case, you don’t have access to the scopes

Screenshot 2021-07-08 at 14.41.56

Could you give us a bit more detail about why do you need to know dynamically these scopes? The idea is for scopes to never change, as each user has to manually give consent to operate on their behalf, changing the scopes after the user allowed would not be good :sweat_smile: So whatever scopes you initially set, you can count on them being immutable.

By the way, if you want to inspect the API with less hastle, you can always head over to Speckle GraphQL API which already takes care of the authentication process for you and allows you to explore the API faster (it even has autocomplete)

Let me know if this helped (or not…)


Thank you for the quick answer. :slight_smile:
I am aware that the permissions are immutable but I still want to read the Personal Access Tokens and send the permissions to our server.
The query results differ wether im setting the query up through the GraphQL playground and my App.
These are the results in the playground:

and here are the results for the same query called by my App:
As you can see, ApiTokens is set to “null”.
Maybe I just missunderstood the use of the Personal Access Tokens…

Anyway. our team came to the conclusion that for our App we don’t really need the Personal Access Tokens at the moment and that we only care about the stream permissions for now which are accessible to me through a query.

I’m sorry if I what I’m saying is a little bit confusion. I’m still trying to get into SpeckleV2 and understand it better.

Another thing that I would like to mention is, that it would be really nice to have more permission options. CRUD operations for Globals and Branches for example. :slight_smile:

1 Like

Hey @mgerhardt, yes they differ - and you’re right to bring this up. We (I) should document this… It’s for security purposes!

In the server, some scopes are private for security reasons. This includes the ones around api tokens:

If a scope is flagged as not public this means that only “first-party” applications will be able to access those endpoints; this is in order to reduce the security footprint and limit risk.

If your app really needs those scopes, there is a pathway to do so by pre-registering it on the server (but you said it doesn’t, so I won’t detail more now - check how the frontend app or the explorer is embedded in the backend!).