API Scopes
HCSS controls access to its APIs via scopes. In general, each API will expose at least one read-only scope and one read-and-write scope. When you request tokens, you specify the scope as part of the request. When you get API credentials from HCSS, we will configure which scopes you may request. It is recommended to request only the minimum scopes needed for your application ("principle of least privilege").
For example, the HeavyJob API uses the heavyjob:read and heavyjob:write scopes. The heavyjob:read scope enables you to view jobs, employees, time cards, and more. The heavyjob:write scope allows you to perform operations that change data, like creating new materials or recording quantities on a time card.
If you attempt to make an API call lacking the required scopes, you will receive the HTTP 403 Forbidden response. For example, if you have a read-only token and attempt to change data, that operation will fail with a Forbidden response.