The access to the api can be exactly defined by using OAuth scopes.
Additionally, the bexio API checks the user rights. Therefore the user can only access resources, he has access to in the frontend.
Please do only request scopes you need for your application. You are allowed to request multiple scopes per request. Multiple scopes have to be separated by a whitespace.
If you want to edit contacts and list invoices, you have to use the following scope string:
The user has full control on his data. Therefore he is able to remove scopes if he does not want to share the information. Please consider this in your implementation.
So it may be, that you request the scopes
contact_show und task_show, but the user only accepts the scope
You will receive the accepted scopes in the response of the access token
If you request a scope to edit a resource, you will automatically receive the right to list and show this resource.
Therefore by requesting the scope
article_edit you do not have to apply for the scope
|article_show||Show items / articles|
|article_edit||Show and edit items / articles|
|calendar_show||Show calendar entries|
|calendar_edit||Show and edit calendar entries|
|contact_edit||Show and edit contacts|
|kb_invoice_edit||Show and edit invoices|
|kb_offer_show||Show estimates (offers)|
|kb_offer_edit||Show and edit estimates (offers)|
|kb_order_edit||Show and edit orders|
|lead_edit||Show and edit leads|
|monitoring_edit||Show and edit timesheets|
|note_edit||Show and edit notes|
|task_edit||Show and edit tasks|