Skip to content

Commit 47e95f8

Browse files
committed
docs: clarify token privilege scoping
Signed-off-by: Aamod007 <aamodkumar2006@gmail.com>
1 parent 877d850 commit 47e95f8

1 file changed

Lines changed: 6 additions & 0 deletions

File tree

  • content/en/cloud/concepts/identity-and-security

content/en/cloud/concepts/identity-and-security/tokens.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,12 @@ Access tokens are opaque tokens that conform to the OAuth 2.0 framework. They co
2222
Layer5 Cloud API tokens are scoped to your user account, not to a specific organization. This means a single API token provides access to all organizations you are a member of, similar to how [GitHub Personal Access Tokens](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) work. For users who belong to multiple organizations, see [Specifying Organization Context]({{< ref "cloud/reference/api-reference/_index.md#specifying-organization-context" >}}) in the REST API documentation to learn how to control which organization your API requests operate on.
2323
{{< /alert >}}
2424

25+
## Privilege Scoping
26+
27+
API tokens in Layer5 are **identity-scoped**. This means they inherently carry the exact same privileges, roles, and permissions as your user account.
28+
29+
Layer5 does not currently support fine-grained, token-specific privilege scopes (for example, generating a strictly "read-only" token if you have "read-write" permissions). The token grants the bearer the same level of access you have across all environments and organizations you are a member of.
30+
2531
## Creating tokens
2632

2733
You can create a token for your user account at any time. Tokens never expire, but can be revoked. You can also give the token a descriptive label. This label will be shown in the list of tokens on your user account's security tokens page.

0 commit comments

Comments
 (0)