Skip to main content
Access to each endpoint is gated by a scope. Your partner credential is provisioned with a set of scopes; if a call’s required scope is not in that set, the API returns 403 INSUFFICIENT_SCOPE. Scopes follow a resource.action pattern, where action is read or write. A write scope covers create, update, and delete for that resource.

Available scopes

ScopeGrants
tours.readRead tour data
tours.writeCreate, edit, and soft-delete tours
schedule.readRead schedule items
schedule.writeCreate, update, and delete schedule items
venues.readRead venue data
venues.writeCreate, update, and delete venues
guestlist.readRead guest lists
guestlist.writeAdd, edit, and delete guest list entries
bulletins.readRead bulletins
bulletins.writeCreate, update, and delete bulletins
accommodation.readRead accommodation data
accommodation.writeCreate, edit, and delete accommodation
organization.readRead organization info and members
users.readRead tour member info

Scope per endpoint

EndpointScope
GET /v1/organizationsorganization.read
GET /v1/organizations/{orgId}/usersorganization.read
GET /v1/tours?org_id={orgId}tours.read
POST /v1/tourstours.write
PUT /v1/tours/{tourId}tours.write
DELETE /v1/tours/{tourId}tours.write
GET /v1/tours/{tourId}/usersusers.read
GET /v1/tours/{tourId}/days/{dayId}/scheduleschedule.read
POST /v1/schedule/itemsschedule.write
PUT /v1/schedule/items/{itemId}schedule.write
DELETE /v1/schedule/items/{itemId}schedule.write
GET /v1/tours/{tourId}/venuesvenues.read
POST /v1/venuesvenues.write
PUT /v1/venues/{venueId}venues.write
DELETE /v1/venues/{venueId}venues.write
GET /v1/tours/{tourId}/accommodationaccommodation.read
POST /v1/accommodationaccommodation.write
PUT /v1/accommodation/{accommodationId}accommodation.write
DELETE /v1/accommodation/{accommodationId}accommodation.write
GET /v1/tours/{tourId}/days/{dayId}/guestlistguestlist.read
POST /v1/guestlistguestlist.write
PUT /v1/guestlist/{guestListId}guestlist.write
DELETE /v1/guestlist/{guestListId}guestlist.write
GET /v1/tours/{tourId}/bulletinsbulletins.read
POST /v1/bulletinsbulletins.write
PUT /v1/bulletins/{bulletinId}bulletins.write
DELETE /v1/bulletins/{bulletinId}bulletins.write
POST /v1/attachmentsschedule.write
GET /v1/day-typestours.read

Two kinds of permission

Two independent checks apply to every call:
  1. Partner scope — does your application hold the scope for this endpoint? Decided by the scopes on your partner credential.
  2. User access — can the authenticated user see or modify this specific resource? Decided by the user’s roles and membership inside Daysync. Even with the right scope, a request can be rejected because the user lacks access to that tour or organization.
A partner can be provisioned with any subset of scopes (for example, a read-only integration with just tours.read, schedule.read, and organization.read). See Apply for API Access to request a credential and the scopes your integration needs.