Permissions of the Investment API are modelled as OAuth 2.0 scopes. You have to request them together with the OAuth 2.0 access token. Permissions are identified by string IDs, generally in the format {topic}:{action}.

See the full list of available permissions.

It is strongly recommended to limit the number of permissions per access token to the absolute minimum necessary.

How permissions work


There are two {action}s available:

  • admin: Allows read-and-write access to the resources covered by the {topic}. In most (but not all!) cases, writing includes create, update and delete operations.

  • read: Allows read-only access to the resources covered by the {topic}.

  • Only those {topic} × {action} combinations are available, which cover actual API endpoints or operations.
  • {topic}:admin only includes update and/or delete if any corresponding API endpoints and operations are available.


The following {topic}s are available:

  • accounts: Accounts and account groups
  • webhooks: Webhooks
  • orders: Orders
  • users: (End) users
  • checks: User checks like KYC, POR, INSTRUMENT_FIT, and COMPLIANCE
  • instruments: Instruments
  • positions: Positions
  • reference_accounts: Reference accounts
  • mandates: Mandates
  • payments: Payins and withdrawal operations
  • reports: Reports
  • taxes: Tax residencies

Was this page helpful?