Skip to content

Capabilities

Mytokens can be used for performing different actions at the mytoken server. Capabilities are used to define which actions can be done with a Mytoken. Capabilities can have sub-capabilities and might allow only read access or full access:

  • A capability with the read@ prefix only allows read access, but no modifications, while capabilities without this prefix allow full access including modifications.
  • Capabilities can have sub-capabilities and form a "path". A parent capability includes all its children, e.g. tokeninfo includes tokeninfo:introspect and all other tokeninfo:* capabilities.
    • The colon : is used as a path separator in path-ed capabilities.

The following capabilities are defined:

Capability Description Comment
AT Allows obtaining Access Tokens at the access token endpoint.
tokeninfo Allows to query the tokeninfo endpoint to obtain information about this token. Includes all tokeninfo:* capabilities, namely tokeninfo:introspect, tokeninfo:subtokens, tokeninfo:history, tokeninfo:notify, tokeninfo:tags.
tokeninfo:introspect Allows to query the tokeninfo endpoint to obtain basic information about this token: Allows to check if the token is valid, the content of the token and its usages.
tokeninfo:history Allows to query the tokeninfo endpoint to obtain information about this token: Allows to get the event history for this token.
tokeninfo:subtokens Allows to query the tokeninfo endpoint to obtain information about this token: Allows to get the tree of sub-tokens.
tokeninfo:notify Allows to manage notifications for this mytoken.
tokeninfo:tags Allows to manage tags for this mytoken.
manage_mytokens Allows to perform all actions for managing other mytokens. This capability does not allow to list the actual mytokens. Includes all manage_mytokens:* capabilities.
manage_mytokens:list Allows to list metadata for all Mytokens, this includes the mom id needed for other actions. This capability does not allow to list the actual mytokens.
manage_mytokens:revoke Allows to revoke any token by its mom id. See token revocation for more details.
manage_mytokens:history Allows to obtain event history for any token by its mom id. See event history for more details.
manage_mytokens:notify Allows to manage notifications for any mytoken.
manage_mytokens:tags Allows to manage tags for any mytoken.
create_mytoken Allows to create a new Mytoken. Mytoken servers MUST NOT allow privilege escalation. I.e. the restrictions of the new token MUST be at least as tight as the restrictions of the original token. Also the new token MUST only have capabilities that are allowed for subtokens of the original token.
settings Allows to adapt the users settings This capability includes all settings:* capabilities and it is powerful, since it allows control over allowed grant types.
settings:grants Allows to adapt the users grants This capability includes all settings:grants:* capabilities and it is powerful, since it allows control over allowed grant types.
settings:grants:ssh Allows to adapt the ssh user grant
settings:email Allows to read and write the user's email settings.
settings:tags Allows to read and write the user's tags. Tags can be used to organize and group mytokens, notifications, and calendars.

Furthermore, all settings and some manage_mytokens capabilities can be used with the read@ prefix:

Capability Description Comment
read@settings Allows to read the users settings This capability includes all read@settings:* capabilities.
read@settings:grants Allows to read the users grants This capability includes all read@settings:grants:* capabilities. It allows to list the enabled / disabled user grants.
read@settings:grants:ssh Allows to read the ssh user grant This capability allows to list a user's ssh keys.
read@settings:email Allows to read the user's email settings
read@settings:tags Allows to read the user's tags
read@manage_mytokens:notify Allows to read notifications for any mytoken.
Last update: March 30, 2026 14:00:08
Back to top