forgejo-docs/docs/user/token-scope.md

title	license	origin_url
Access Token scope	Apache-2.0	e865de1e9d/docs/content/development/oauth2-provider.en-us.md

Forgejo supports scoped access tokens, which allow users to restrict tokens to operate only on selected url routes. Scopes are grouped by high-level API routes, and further refined to the following:

• read: GET routes
• write: POST, PUT, PATCH, and DELETE routes (in addition to GET)

Forgejo token scopes are as follows:

Name	Description
(no scope)	Not supported. A scope is required even for public repositories.
activitypub	activitypub API routes: ActivityPub related operations.
read:activitypub	Grants read access for ActivityPub operations.
write:activitypub	Grants read/write/delete access for ActivityPub operations.
admin	/admin/* API routes: Site-wide administrative operations (hidden for non-admin accounts).
read:admin	Grants read access for admin operations, such as getting cron jobs or registered user emails.
write:admin	Grants read/write/delete access for admin operations, such as running cron jobs or updating user accounts.
issue	issues/*, labels/*, milestones/* API routes: Issue-related operations.
read:issue	Grants read access for issues operations, such as getting issue comments, issue attachments, and milestones.
write:issue	Grants read/write/delete access for issues operations, such as posting or editing an issue comment or attachment, and updating milestones.
misc	miscellaneous and settings top-level API routes.
read:misc	Grants read access to miscellaneous operations, such as getting label and gitignore templates.
write:misc	Grants read/write/delete access to miscellaneous operations, such as markup utility operations.
notification	notification/* API routes: user notification operations.
read:notification	Grants read access to user notifications, such as which notifications users are subscribed to and read new notifications.
write:notification	Grants read/write/delete access to user notifications, such as marking notifications as read.
organization	orgs/* and teams/* API routes: Organization and team management operations.
read:organization	Grants read access to org and team status, such as listing all organizations a user has visibility to, teams, and team members.
write:organization	Grants read/write/delete access to org and team status, such as creating and updating teams and updating org settings.
package	/packages/* API routes: Packages operations
read:package	Grants read access to package operations, such as reading and downloading available packages.
write:package	Grants read/write/delete access to package operations. Currently the same as read:package.
repository	/repos/* API routes except /repos/issues/*: Repository file, pull-request, and release operations.
read:repository	Grants read access to repository operations, such as getting repository files, releases, collaborators.
write:repository	Grants read/write/delete access to repository operations, such as getting updating repository files, creating pull requests, updating collaborators.
user	/user/* and /users/* API routes: User-related operations.
read:user	Grants read access to user operations, such as getting user repository subscriptions and user settings.
write:user	Grants read/write/delete access to user operations, such as updating user repository subscriptions, followed users, and user settings.