> ## Documentation Index
> Fetch the complete documentation index at: https://docs.daysync.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Scopes & Permissions

> Scopes control which endpoints a partner application may call. Each endpoint requires exactly one scope.

Access to each endpoint is gated by a **scope**. Your partner credential is provisioned with a set of scopes; if a call's required scope is not in that set, the API returns `403 INSUFFICIENT_SCOPE`.

Scopes follow a `resource.action` pattern, where `action` is `read` or `write`. A `write` scope covers create, update, and delete for that resource.

## Available scopes

| Scope                 | Grants                                    |
| --------------------- | ----------------------------------------- |
| `tours.read`          | Read tour data                            |
| `tours.write`         | Create, edit, and soft-delete tours       |
| `schedule.read`       | Read schedule items                       |
| `schedule.write`      | Create, update, and delete schedule items |
| `venues.read`         | Read venue data                           |
| `venues.write`        | Create, update, and delete venues         |
| `guestlist.read`      | Read guest lists                          |
| `guestlist.write`     | Add, edit, and delete guest list entries  |
| `bulletins.read`      | Read bulletins                            |
| `bulletins.write`     | Create, update, and delete bulletins      |
| `accommodation.read`  | Read accommodation data                   |
| `accommodation.write` | Create, edit, and delete accommodation    |
| `organization.read`   | Read organization info and members        |
| `users.read`          | Read tour member info                     |

## Scope per endpoint

| Endpoint                                        | Scope                 |
| ----------------------------------------------- | --------------------- |
| `GET /v1/organizations`                         | `organization.read`   |
| `GET /v1/organizations/{orgId}/users`           | `organization.read`   |
| `GET /v1/tours?org_id={orgId}`                  | `tours.read`          |
| `POST /v1/tours`                                | `tours.write`         |
| `PUT /v1/tours/{tourId}`                        | `tours.write`         |
| `DELETE /v1/tours/{tourId}`                     | `tours.write`         |
| `GET /v1/tours/{tourId}/users`                  | `users.read`          |
| `GET /v1/tours/{tourId}/days/{dayId}/schedule`  | `schedule.read`       |
| `POST /v1/schedule/items`                       | `schedule.write`      |
| `PUT /v1/schedule/items/{itemId}`               | `schedule.write`      |
| `DELETE /v1/schedule/items/{itemId}`            | `schedule.write`      |
| `GET /v1/tours/{tourId}/venues`                 | `venues.read`         |
| `POST /v1/venues`                               | `venues.write`        |
| `PUT /v1/venues/{venueId}`                      | `venues.write`        |
| `DELETE /v1/venues/{venueId}`                   | `venues.write`        |
| `GET /v1/tours/{tourId}/accommodation`          | `accommodation.read`  |
| `POST /v1/accommodation`                        | `accommodation.write` |
| `PUT /v1/accommodation/{accommodationId}`       | `accommodation.write` |
| `DELETE /v1/accommodation/{accommodationId}`    | `accommodation.write` |
| `GET /v1/tours/{tourId}/days/{dayId}/guestlist` | `guestlist.read`      |
| `POST /v1/guestlist`                            | `guestlist.write`     |
| `PUT /v1/guestlist/{guestListId}`               | `guestlist.write`     |
| `DELETE /v1/guestlist/{guestListId}`            | `guestlist.write`     |
| `GET /v1/tours/{tourId}/bulletins`              | `bulletins.read`      |
| `POST /v1/bulletins`                            | `bulletins.write`     |
| `PUT /v1/bulletins/{bulletinId}`                | `bulletins.write`     |
| `DELETE /v1/bulletins/{bulletinId}`             | `bulletins.write`     |
| `POST /v1/attachments`                          | `schedule.write`      |
| `GET /v1/day-types`                             | `tours.read`          |

## Two kinds of permission

Two independent checks apply to every call:

1. **Partner scope** — does *your application* hold the scope for this endpoint? Decided by the scopes on your partner credential.
2. **User access** — can *the authenticated user* see or modify this specific resource? Decided by the user's roles and membership inside Daysync. Even with the right scope, a request can be rejected because the user lacks access to that tour or organization.

A partner can be provisioned with any subset of scopes (for example, a read-only integration with just `tours.read`, `schedule.read`, and `organization.read`). See [Apply for API Access](/apply-for-access) to request a credential and the scopes your integration needs.
