403 INSUFFICIENT_SCOPE.
Scopes follow a resource.action pattern, where action is read or write. A write scope covers create, update, and delete for that resource.
Available scopes
| Scope | Grants |
|---|---|
tours.read | Read tour data |
tours.write | Create, edit, and soft-delete tours |
schedule.read | Read schedule items |
schedule.write | Create, update, and delete schedule items |
venues.read | Read venue data |
venues.write | Create, update, and delete venues |
guestlist.read | Read guest lists |
guestlist.write | Add, edit, and delete guest list entries |
bulletins.read | Read bulletins |
bulletins.write | Create, update, and delete bulletins |
accommodation.read | Read accommodation data |
accommodation.write | Create, edit, and delete accommodation |
organization.read | Read organization info and members |
users.read | Read tour member info |
Scope per endpoint
| Endpoint | Scope |
|---|---|
GET /v1/organizations | organization.read |
GET /v1/organizations/{orgId}/users | organization.read |
GET /v1/tours?org_id={orgId} | tours.read |
POST /v1/tours | tours.write |
PUT /v1/tours/{tourId} | tours.write |
DELETE /v1/tours/{tourId} | tours.write |
GET /v1/tours/{tourId}/users | users.read |
GET /v1/tours/{tourId}/days/{dayId}/schedule | schedule.read |
POST /v1/schedule/items | schedule.write |
PUT /v1/schedule/items/{itemId} | schedule.write |
DELETE /v1/schedule/items/{itemId} | schedule.write |
GET /v1/tours/{tourId}/venues | venues.read |
POST /v1/venues | venues.write |
PUT /v1/venues/{venueId} | venues.write |
DELETE /v1/venues/{venueId} | venues.write |
GET /v1/tours/{tourId}/accommodation | accommodation.read |
POST /v1/accommodation | accommodation.write |
PUT /v1/accommodation/{accommodationId} | accommodation.write |
DELETE /v1/accommodation/{accommodationId} | accommodation.write |
GET /v1/tours/{tourId}/days/{dayId}/guestlist | guestlist.read |
POST /v1/guestlist | guestlist.write |
PUT /v1/guestlist/{guestListId} | guestlist.write |
DELETE /v1/guestlist/{guestListId} | guestlist.write |
GET /v1/tours/{tourId}/bulletins | bulletins.read |
POST /v1/bulletins | bulletins.write |
PUT /v1/bulletins/{bulletinId} | bulletins.write |
DELETE /v1/bulletins/{bulletinId} | bulletins.write |
POST /v1/attachments | schedule.write |
GET /v1/day-types | tours.read |
Two kinds of permission
Two independent checks apply to every call:- Partner scope — does your application hold the scope for this endpoint? Decided by the scopes on your partner credential.
- User access — can the authenticated user see or modify this specific resource? Decided by the user’s roles and membership inside Daysync. Even with the right scope, a request can be rejected because the user lacks access to that tour or organization.
tours.read, schedule.read, and organization.read). See Apply for API Access to request a credential and the scopes your integration needs.
