Getting startedAuthenticationOAuth 2.0

Scopes

Permissions your OAuth app requests from a Brevo user

Scopes declare what a Brevo user is consenting your app to do on their behalf. You include them in the authorization request, the user sees them on the consent screen, and they’re embedded in the issued access token.

Naming convention

{resource}[.{sub-resource}]:{action}
  • resource — the API area (e.g. contacts, crm, webhooks)
  • sub-resource — optional, used to split large areas (e.g. transactional.email, campaigns.sms)
  • action — either read (GET access) or write (create/update/delete access)

:write does not imply :read. If your app needs to both read and modify a resource — for example, list contacts before updating them — request both scopes.

Scope catalog

Each scope’s name, what it grants, and the API paths it authorizes. Paths are prefixes/contacts covers every endpoint under /contacts/.... :read authorizes GET requests on those paths; :write authorizes POST, PUT, PATCH and DELETE on the same paths.

Scopes are grouped by category — the same grouping returned by brevo app available-scopes. Use the filter to find a scope by name, description or endpoint.

32 of 32 scopes
Account
account:readRead account info, senders and inbound feeds.
/account/senders/senders/domains/inbound/feeds/processes
account:writeModify senders, sending domains and inbound feeds.
/account/senders/senders/domains/inbound/feeds/processes
organization:readRead organization-level settings and members.
/organization
organization:writeModify organization-level settings and members.
/organization
webhooks:readList webhook subscriptions.
/webhooks
webhooks:writeCreate, modify or delete webhook subscriptions.
/webhooks
Campaigns
campaigns.email:readRead email campaigns and their statistics.
/emailCampaigns
campaigns.email:writeCreate, modify, send and delete email campaigns.
/emailCampaigns
campaigns.sms:readRead SMS campaigns and their statistics.
/smsCampaigns
campaigns.sms:writeCreate, modify, send and delete SMS campaigns.
/smsCampaigns
campaigns.whatsapp:readRead WhatsApp campaigns and their statistics.
/whatsappCampaigns
campaigns.whatsapp:writeCreate, modify, send and delete WhatsApp campaigns.
/whatsappCampaigns
Contacts & CRM
contacts:readRead contacts, lists, segments, attributes and folders.
/contacts/contacts/lists/contacts/folders/contacts/attributes/contacts/segments/contacts/import/contacts/export
contacts:writeCreate, modify or delete contacts, lists, segments, attributes and folders.
/contacts/contacts/lists/contacts/folders/contacts/attributes/contacts/segments/contacts/import/contacts/export
crm:readRead companies, deals, tasks, notes and pipelines.
/companies/crm/deals/crm/tasks/crm/notes/crm/files/crm/attributes/crm/pipeline
crm:writeCreate, modify or delete companies, deals, tasks, notes and pipelines.
/companies/crm/deals/crm/tasks/crm/notes/crm/files/crm/attributes/crm/pipeline
Conversations
conversations:readRead live chat conversations.
/conversations
conversations:writeSend messages and manage conversations.
/conversations
Custom objects
objects:readRead custom objects.
/objects
objects:writeCreate, modify or delete custom objects.
/objects
E-commerce
ecommerce:readRead products, orders and categories.
/products/orders/categories/ecommerce
ecommerce:writeCreate, modify or delete products, orders and categories.
/products/orders/categories/ecommerce
Events
events:readRead tracked events.
/events
events:writeTrack new events.
/events
Loyalty
loyalty:readRead loyalty programs, balances, tiers and rewards.
/loyalty
loyalty:writeCreate, modify or delete loyalty programs, balances, tiers and rewards.
/loyalty
Transactional
transactional.email:readRead transactional email statistics, templates and blocked addresses.
/smtp/email/smtp/templates/smtp/emails/smtp/statistics/smtp/blockedContacts/smtp/blockedDomains
transactional.email:writeSend transactional emails and manage templates and blocklists.
/smtp/email/smtp/templates/smtp/emails/smtp/statistics/smtp/blockedContacts/smtp/blockedDomains
transactional.sms:readRead transactional SMS statistics and templates.
/transactionalSMS/send/transactionalSMS/sms/transactionalSMS/statistics/transactionalSMS/templates
transactional.sms:writeSend transactional SMS and manage templates.
/transactionalSMS/send/transactionalSMS/sms/transactionalSMS/statistics/transactionalSMS/templates
transactional.whatsapp:readRead transactional WhatsApp statistics.
/whatsapp/sendMessage/whatsapp/statistics
transactional.whatsapp:writeSend transactional WhatsApp messages.
/whatsapp/sendMessage/whatsapp/statistics

Prefer the terminal? Run brevo app available-scopes --web to browse this same catalog in a local page, or brevo app available-scopes --json for the raw list.

Requesting scopes

Scopes go in the scope query parameter of the authorization request, space-separated and URL-encoded.

https://oauth.brevo.com/realms/partner/oauth/authorize
  ?response_type=code
  &client_id=<CLIENT_ID>
  &redirect_uri=<REDIRECT_URI>
  &scope=contacts%3Aread%20contacts%3Awrite%20transactional.email%3Awrite
  &state=<RANDOM_STATE>

Decoded, scope=contacts:read contacts:write transactional.email:write.

The user sees a consent screen listing the human-readable name and description of each requested scope before authorizing.

Inspecting scopes in a token

Every issued access token is a signed JWT and includes a scope claim — a space-separated string of the scopes granted to that specific token. Decode the JWT or call the introspection endpoint to verify what a token can do.

$curl --request POST \
>  --url https://oauth.brevo.com/realms/partner/oauth/introspect \
>  --header 'Content-Type: application/x-www-form-urlencoded' \
>  --user '<CLIENT_ID>:<CLIENT_SECRET>' \
>  --data-urlencode 'token=<ACCESS_TOKEN>'

Response (RFC 7662):

1{
2  "active": true,
3  "scope": "contacts:read contacts:write transactional.email:write",
4  "client_id": "<CLIENT_ID>",
5  "exp": 1735689600,
6  "iat": 1735686000,
7  "sub": "user-uuid",
8  "token_type": "Bearer"
9}

Errors

HTTP statuserrorWhen
400invalid_scopeThe requested scope isn’t in the catalog, or exceeds the scopes registered on your app
400invalid_requestscope parameter is missing or malformed

The error_description field carries the specific reason — for example, requested scope exceeds scopes allowed for this client.

Discovering scopes programmatically

The OAuth server publishes standard discovery metadata at:

https://oauth.brevo.com/realms/partner/.well-known/oauth-authorization-server

The scopes_supported field is sourced live from the catalog — this is the same list you get from brevo app available-scopes.

$curl https://oauth.brevo.com/realms/partner/.well-known/oauth-authorization-server \
>  | jq '.scopes_supported'

Choosing scopes for your app

A few common combinations:

Use caseScopes
Sync external contacts into Brevocontacts:read contacts:write
Send transactional email on behalf of a usertransactional.email:write
Read campaign performancecampaigns.email:read campaigns.sms:read
Build a CRM-side integrationcrm:read crm:write contacts:read
Webhook-driven integrationwebhooks:read webhooks:write + the resource scopes you’ll consume

Start with the minimum your app needs. You can widen scopes later with brevo app update --scope <scope> — see the CLI reference.