When a KEEP API access presents its JWT claim, it includes a
scopes element. This element determines what resources the API access intends to use.
Scopes are a space-separated lists of values. By default, a user who authenticates with Domino to gain a JWT token has three scope values in the claim:
- MAIL: Access to the user’s mailbox and calendar.
- $DATA: Access to any application the user has access to.
- $DECRYPT: Access to decrypt encrypted items if the database has decryption enabled. (Requires proper setup.)
A scope doesn’t open access to a resource; that’s the job of the database ACL. A scope limits access.
Besides the default scopes of
$DECRYPT, any of the database aliases can be used as a scope term. This allows an IdP to ask a user for tailored permissions in an OICD flow to limit exact access required instead of having the full user spectrum.