Access
Manage scopes, OAuth2 clients, end-users, and active sessions for your workspace.
The Access tab is where you configure IoTMan's authorization layer: define the permissions (scopes) your workspace uses, and manage the principals — OAuth2 clients and end-users — that can access protected resources.
For a conceptual overview of how these pieces fit together, see the Authorization guide.
Scopes
A scope is a named permission string defined by your workspace. Scopes are the unit of access control — they appear in tokens and are checked by resource servers before serving protected content.
Use the namespace:action convention to keep scope names clear and consistent (e.g. sensor:read, video:gold, admin:write).
The workspace UUID is also shown in this section. External resource servers need it to validate the aud claim on incoming tokens.
Creating a scope
- Click + New scope.
- Enter a name and an optional description.
- Click Save.
Requires Admin role.
Deleting a scope
Click the delete button next to a scope.
Requires Admin role.
End-users
End-users are people who access your protected resources but are not workspace members. They cannot manage the workspace — they only authenticate to receive tokens scoped to the resources you grant them.
Each end-user is invited by email and granted one or more scopes. When they authenticate, their token carries exactly the scopes you assigned. Scope changes take effect on the next token refresh.
Inviting an end-user
- Click + Invite end-user.
- Enter the user's email.
- Select one or more scopes to grant.
- Click Invite. The user receives a magic link to authenticate.
Requires Admin role.
Adding scopes to an existing end-user
Click + scope on an end-user row to grant an additional scope without re-inviting.
Requires Admin role.
Revoking a scope
Click × on a scope badge in the end-user row to revoke that specific scope. Active tokens remain valid until they expire — for sensitive resources, keep token expiry short.
Requires Admin role.
OAuth2 clients
An OAuth2 client represents an application or device that interacts with your workspace. IoTMan supports three client types:
| Type | Use case | Redirect URI | Secret |
|---|---|---|---|
| Authorization Code + PKCE | User-facing apps (SPA, mobile) — user authorises the app | Required | — |
| Authorization Code | Server-side apps — user authorises the app via a backend | Required | Generated |
| Client Credentials | Devices and M2M services — no user involved | — | Generated |
Creating a client
- Click + New client.
- Enter a name and select the client type.
- For Authorization Code flows, enter the redirect URI.
- Click Create. If the type generates a secret, it is shown once — copy it immediately.
Requires Admin role.
Scopes for Client Credentials clients
Client Credentials clients can request any scope defined in the workspace. Include a scope parameter at token request time with a space-separated list of desired scopes. If no scope is provided, all workspace scopes are granted.
Deleting a client
Click the delete button. All active tokens issued to this client are revoked immediately.
Requires Admin role.
Active sessions
Lists all active refresh tokens issued for this workspace. Each row shows the principal (end-user email or client name), the granted scopes, and when the session was created.
Click Revoke on any row to invalidate that session immediately. M2M clients using Client Credentials re-authenticate automatically when their access token expires and do not appear here.
Requires Editor or Admin role.