Token scopes
Catalog of all valid token scopes for least-privilege access control.
Token scopes
Every token carries a set of scopes that control which API operations it can call. Scopes are additive — a token with prequalify and quote can call those two surfaces and nothing else.
Scope catalog
| Scope | Grants access to |
|---|---|
prequalify | Run applicant prequalifications. |
quote | Run carrier quotes. |
datasets | Read carrier dataset files and underwriting reference tables. |
cases | Create shareable case URLs. |
usage | Read usage summaries, invoices, and analytics. |
webhooks | Webhook endpoint management is currently dashboard-only — see webhooks. API-based subscription management is on the GA roadmap. |
Default behavior
All scopes are enabled on every token provisioned through the standard checkout or partner onboarding flow. You do not need to configure scopes explicitly unless you want to restrict a token to a subset of operations.
Creating a least-privilege token
For production services that only need one capability — for example, a prequalification-only integration — create a scoped token from the Dashboard:
- Open dashboard.isaapi.com → API Keys.
- Click Generate new token.
- Deselect all scopes, then select only the scopes your service needs.
- Click Save. The new token value is shown once — store it in a secrets manager.
Using a scoped token limits blast radius if the token is leaked: an attacker with a prequalify-only token cannot access billing, usage data, or webhook configuration.
Scope errors
If a token lacks the required scope for an operation, the API returns:
{
"code": "permission_denied",
"status": 403,
"detail": "This token does not have the 'quote' scope.",
"advice_code": "generate_scoped_token"
}See permission_denied for remediation steps.
See also
Updated 4 days ago