## User roles and permissions Most Brex APIs require a Brex admin to grant access. In these cases, only users with the account admin role can be authenticated. Additionally: - **Bookkeepers** may access the **accounting API**. - Partners using the **onboarding API** authenticate with a [Client Credentials Grant](https://oauth.net/2/grant-types/client-credentials/)–there is no user associated with this API access. ## Scopes Scopes define which endpoints your app has access to. You will specify your scopes when [generating your user token](/guides/authentication/#1-generate-a-user-token). For more information on how scopes work in general, see the [OAuth website](https://oauth.net/2/scope). ## Scopes are additive As a general security practice, you should request the minimum set of scopes required for whatever action the user is performing. For instance, if you are building a simple app that lists all of a company's cards, you should request the `cards.readonly` scopes. Since you are not modifying any data, you only need the `readonly` version of the `cards` scope. If you later want to add new functionality that requires fetching user information, or make updates to cards, you can request those scopes (`users`, `cards`) which will send the user through the authentication flow again and add those scopes to their previously consented scopes. ## User scopes At the beginning of each API reference, there is a list of the scopes required for that given API. They are also listed here for convenience. ### Authentication These 2 scopes are included automatically in user tokens. | Scope | Description | | --- | --- | | `openid` | Make an OpenID Connect request | | `offline_access` | Obtain an OAuth 2.0 refresh token | ### Accounting API | Scope | Description | | --- | --- | | `accounting.integration.read` | View accounting integration | | `accounting.integration.write` | View and manage accounting integration | | `accounting.record.read` | View accounting records | | `accounting.record.write` | View and manage accounting records | ### Budgets API | Scope | Description | | --- | --- | | `budgets.readonly` | View budget data | | `budgets` | View and manage budget data | ### Expenses API | Scope | Description | | --- | --- | | `expenses.card.readonly` | View card expense data | | `expenses.card` | View and manage card expense data | ### Fields API | Scope | Description | | --- | --- | | `fields.read` | View custom field definitions | | `fields.write` | View and manage custom field definitions | | `field_values.read` | View custom field values | | `field_values.write` | View and manage custom field values | ### Onboarding API | Scope | Description | | --- | --- | | `https://onboarding.brexapis.com/referrals` | View and manage referrals | ### Payments API | Scope | Description | | --- | --- | | `incoming_transfers` | View and manage incoming transfers | | `linked_accounts.readonly` | View linked accounts | | `transfers.readonly` | View existing transfers | | `transfers` | View and manage transfers | | `vendors.readonly` | View vendor data | | `vendors` | View and manage vendor data | ### Team API | Scope | Description | | --- | --- | | `cards.readonly` | View card data | | `cards` | View and manage card data | | `cards.pan` | View card number data | | `companies.readonly` | View company data | | `departments.readonly` | View department data | | `departments` | View and manage department data | | `legal_entities.readonly` | View legal entity data | | `legal_entities` | View and manage legal entity data | | `locations.readonly` | View location data | | `locations` | View and manage location data | | `titles.readonly` | View title data | | `titles` | View and manage title data | | `users.readonly` | View user data | | `users` | View and manage user data | ### Transactions API | Scope | Description | | --- | --- | | `accounts.card.readonly` | View card accounts | | `accounts.cash.readonly` | View cash accounts | | `statements.card.readonly` | View card statement data | | `statements.cash.readonly` | View cash statement data | | `transactions.card.readonly` | View card transaction data | | `transactions.cash.readonly` | View cash transaction data | ### Travel API | Scope | Description | | --- | --- | | `travel.trips.readonly` | View trip data | | `travel.trips` | View and manage trip data |