# Permissions

Permissions in the Investment API are modelled as [OAuth 2.0 scopes](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3).

We consider related endpoints in the Investment API to be a `{topic}` and each individual scope grants you permission to perform a set of `{action}`s in that "topic". The available [`{topic}s`](#topics) and [`{action}s`](#actions) are described below.

Scopes are specified as string IDs, in the format `{topic}:{action}`.

If you need a particular scope to access a group of functionality in the Investment API, you *must* specify them when requesting the [OAuth 2.0 access token](/products/tol/concepts/api_concepts/authentication/authentication_oauth).

It is strongly recommended to limit the number of permissions per access token to the absolute minimum necessary.

## Topics

The following `{topic}`s are available:

- `accounts`: [Accounts and account groups](/products/tol/guides/accounts/accounts_overview).
- `checks`: [User checks](/products/tol/guides/users/users_onboarding_checks) like KYC, POR, INSTRUMENT_FIT, and COMPLIANCE.
- `fees`: [Fee collections](/products/tol/guides/fees/fees_overview).
- `instruments`: [Instruments](/products/tol/guides/instruments).
- `mandates`: [Mandates](/products/tol/guides/payments/mandate_setup/mandate_setup_intro).
- `orders`: [Orders](/products/tol/guides/orders).
- `payments`: [Pay-ins](/products/tol/guides/payments/direct_debit/direct_debit_intro) and [withdrawal operations](/products/tol/guides/payments/cash_balances/cash_withdrawal).
- `payments`: [Withdrawal operations](/products/tol/guides/payments/cash_balances/cash_withdrawal).
- `portfolios`: [Portfolios](/products/tol/guides/portfolios).
- `positions`: [Positions](/products/tol/guides/positions).
- `reference_accounts`: [Reference accounts](/products/tol/guides/payments/reference_accounts/reference_accounts_intro).
- `reinvestments`: [Re-investments](/products/tol/guides/reinvestments).
- `reports`: [Reports](/products/tol/guides/reports/index_reports).
- `taxes`: [Tax residencies](/products/tol/guides/users/users_tax_onboarding).
- `users`: (End) [users](/products/tol/guides/users).
- `valuations`: [Account valuations](/products/tol/guides/positions/valuations).
- `webhooks`: [Webhooks](/products/tol/concepts/api_concepts/webhooks).


## Actions

There are two `{action}`s available:

- `admin`: Allows **read-and-write** access to the resources covered by the `{topic}`. In most (but not all!) cases, writing includes *create*, *update* and *delete* operations.
- `read`: Allows **read-only** access to the resources covered by the `{topic}`.


- Only those `{topic}` × `{action}` combinations are available, which cover actual API endpoints or operations.
- `{topic}:admin` only includes *update* and/or *delete* if any corresponding API endpoints and operations are available.


A [full list of available OAuth 2.0 scopes](/products/tol/concepts/api_concepts/authentication/authentication_oauth#authentication-scopes) is available for you to inspect.