Scopes
Permissions your OAuth app requests from a Brevo user
Scopes declare what a Brevo user is consenting your app to do on their behalf. You include them in the authorization request, the user sees them on the consent screen, and they’re embedded in the issued access token.
resource — the API area (e.g. contacts, crm, webhooks)sub-resource — optional, used to split large areas (e.g. transactional.email, campaigns.sms)action — either read (GET access) or write (create/update/delete access):write does not imply :read. If your app needs to both read and modify a resource — for example, list contacts before updating them — request both scopes.
Expand a resource to see its scope names, what each one grants, and the API paths it authorizes. Paths are prefixes — /contacts covers every endpoint under /contacts/.... :read authorizes GET requests on those paths; :write authorizes POST, PUT, PATCH and DELETE on the same paths.
transactional.email:read — Read transactional email statistics, templates and blocked addresses.
transactional.email:write — Send transactional emails and manage templates and blocklists.
Endpoints covered: /smtp/email, /smtp/templates, /smtp/emails, /smtp/statistics, /smtp/blockedContacts, /smtp/blockedDomains
transactional.sms:read — Read transactional SMS statistics and templates.
transactional.sms:write — Send transactional SMS and manage templates.
Endpoints covered: /transactionalSMS/send, /transactionalSMS/sms, /transactionalSMS/statistics, /transactionalSMS/templates
transactional.whatsapp:read — Read transactional WhatsApp statistics.
transactional.whatsapp:write — Send transactional WhatsApp messages.
Endpoints covered: /whatsapp/sendMessage, /whatsapp/statistics
campaigns.email:read — Read your email campaigns and their statistics.
campaigns.email:write — Create, modify, send and delete email campaigns.
Endpoints covered: /emailCampaigns
campaigns.sms:read — Read your SMS campaigns and their statistics.
campaigns.sms:write — Create, modify, send and delete SMS campaigns.
Endpoints covered: /smsCampaigns
campaigns.whatsapp:read — Read your WhatsApp campaigns and their statistics.
campaigns.whatsapp:write — Create, modify, send and delete WhatsApp campaigns.
Endpoints covered: /whatsappCampaigns
contacts:read — Read your contacts, lists, segments, attributes and folders.
contacts:write — Create, modify or delete your contacts, lists, segments, attributes and folders.
Endpoints covered: /contacts, /contacts/lists, /contacts/folders, /contacts/attributes, /contacts/segments, /contacts/import, /contacts/export
crm:read — Read your companies, deals, tasks, notes and pipelines.
crm:write — Create, modify or delete companies, deals, tasks, notes and pipelines.
Endpoints covered: /companies, /crm/deals, /crm/tasks, /crm/notes, /crm/files, /crm/attributes, /crm/pipeline
ecommerce:read — Read your products, orders and categories.
ecommerce:write — Create, modify or delete products, orders and categories.
Endpoints covered: /products, /orders, /categories, /ecommerce
loyalty:read — Read loyalty programs, balances, tiers and rewards.
loyalty:write — Create, modify or delete loyalty programs, balances, tiers and rewards.
Endpoints covered: /loyalty
events:read — Read tracked events.
events:write — Track new events.
Endpoints covered: /events
objects:read — Read your custom objects.
objects:write — Create, modify or delete your custom objects.
Endpoints covered: /objects
account:read — Read account information, senders and inbound feeds.
account:write — Modify senders, sending domains and inbound feeds.
Endpoints covered: /account, /senders, /senders/domains, /inbound, /feeds, /processes
organization:read — Read organization-level settings and members.
organization:write — Modify organization-level settings and members.
Endpoints covered: /organization
webhooks:read — List your webhook subscriptions.
webhooks:write — Create, modify or delete webhook subscriptions.
Endpoints covered: /webhooks
conversations:read — Read your live chat conversations.
conversations:write — Send messages and manage conversations.
Endpoints covered: /conversations
Scopes go in the scope query parameter of the authorization request, space-separated and URL-encoded.
Decoded, scope=contacts:read contacts:write transactional.email:write.
The user sees a consent screen listing the human-readable name and description of each requested scope before authorizing.
Every issued access token is a signed JWT and includes a scope claim — a space-separated string of the scopes granted to that specific token. Decode the JWT or call the introspection endpoint to verify what a token can do.
Response (RFC 7662):
The error_description field carries the specific reason — for example, requested scope exceeds scopes allowed for this client.
The OAuth server publishes standard discovery metadata at:
The scopes_supported field is sourced live from the catalog — this is the same list you get from brevo app available-scopes.
A few common combinations:
Start with the minimum your app needs. You can widen scopes later with brevo app update --scope <scope> — see the CLI reference.