---
title: "OAuth scopes"
description: "Limit your application's access to your customer's resources."
url: "https://docs.adyen.com/partners/oauth/scopes"
source_url: "https://docs.adyen.com/partners/oauth/scopes.md"
canonical: "https://docs.adyen.com/partners/oauth/scopes"
last_modified: "2026-05-12T18:42:29+02:00"
language: "en"
---

# OAuth scopes

Limit your application's access to your customer's resources.

Every OAuth access token has a scope. Scopes limit the access you have to your customer's account resources.

Currently, you cannot change the scope of an existing OAuth client. If you have an access token with a given scope, but want to make API requests outside that scope, you need to [register a new OAuth client](/partners/oauth/integration#step-1-register-your-client) and request access to your customer's account resources.

The following scopes are available:

* [Viewing webhooks](#viewing-webhooks)

* [Viewing and editing webhooks](#viewing-and-editing-webhooks)

* [Make online payments](#make-online-payments)

  * [Integrating online payments using OAuth](#integrating-online-payments-using-oauth)

    * [Step 1: Add allowed origins](#step-1-add-allowed-origins)
    * [Step 2: Generate a client key](#step-2-generate-a-client-key)
    * [Step 3: Retrieve your URL prefix](#step-3-retrieve-your-url-prefix)

* [Tokenize payment details](#tokenize-payment-details)

* [Handle raw card data](#handle-raw-card-data)

* [Manage payment links](#manage-payment-links)

* [Modify account settings](#modify-account-settings)

## Viewing webhooks

**Scope identifier**: `psp.webhook:read`

Lets you view webhook configurations for your customer's merchant account.

Gives access to the following Management API requests:

* GET [/merchants/{merchantId}/webhooks](https://docs.adyen.com/api-explorer/Management/latest/get/merchants/\(merchantId\)/webhooks)
* GET [/merchants/{merchantId}/webhooks/{webhookId}](https://docs.adyen.com/api-explorer/Management/latest/get/merchants/\(merchantId\)/webhooks/\(webhookId\))
* POST [/merchants/{merchantId}/webhooks/{webhookId}/test](https://docs.adyen.com/api-explorer/Management/latest/post/merchants/\(merchantId\)/webhooks/\(webhookId\)/test)

## Viewing and editing webhooks

**Scope identifier**: `psp.webhook:write`

Lets you view, create, edit, and delete webhook configurations for your customer's merchant account.

Gives access to the following Management API requests:

* GET [/merchants/{merchantId}/webhooks](https://docs.adyen.com/api-explorer/Management/latest/get/merchants/\(merchantId\)/webhooks)
* GET [/merchants/{merchantId}/webhooks/{webhookId}](https://docs.adyen.com/api-explorer/Management/latest/get/merchants/\(merchantId\)/webhooks/\(webhookId\))
* POST [/merchants/{merchantId}/webhooks/{webhookId}/test](https://docs.adyen.com/api-explorer/Management/latest/post/merchants/\(merchantId\)/webhooks/\(webhookId\)/test)
* POST [/merchants/{merchantId}/webhooks](https://docs.adyen.com/api-explorer/Management/latest/post/merchants/\(merchantId\)/webhooks)
* PATCH [/merchants/{merchantId}/webhooks/{webhookId}](https://docs.adyen.com/api-explorer/Management/latest/patch/merchants/\(merchantId\)/webhooks/\(webhookId\))
* DELETE [/merchants/{merchantId}/webhooks/{webhookId}](https://docs.adyen.com/api-explorer/Management/latest/delete/merchants/\(merchantId\)/webhooks/\(webhookId\))

## Make online payments

**Scope identifier**: `psp.onlinepayment:write`

Lets you process online payments on behalf of your customer.

This scope does not let you:

* [Tokenize payment details](#tokenize-payment-details)
* [Handle raw card data](#handle-raw-card-data)
* [Manage payment links](#manage-payment-links)

Request these scopes separately.

Gives access to the following Management API requests:

* POST [/me/allowedOrigins](https://docs.adyen.com/api-explorer/Management/latest/post/me/allowedOrigins)
* POST [/me/generateClientKey](https://docs.adyen.com/api-explorer/Management/latest/post/me/generateClientKey) `/me/generateClientKey`

Gives access to the following [Checkout API](https://docs.adyen.com/api-explorer/Checkout/70/overview) request groups:

* Payments
* Modifications
* Recurring (only GET [`/storedPaymentMethods` ](https://docs.adyen.com/api-explorer/Checkout/70/get/storedPaymentMethods)). Requires Checkout v70.
* Orders
* Utility

### Integrating online payments using OAuth

When integrating online payments using OAuth, remember that OAuth is simply an alternative method of authenticating API requests. This means all our [online payments documentation](/online-payments) still applies.

However, because OAuth doesn't grant you access to your customers' Customer Area, you can only set up the resources for client-side authentication through our APIs, outlined in the step below:

#### Step 1: Add allowed origins

[Allowed origins](/development-resources/client-side-authentication#allowed-origins) are domains from which you make client-side requests. This means you need to add the domains on which you are accepting payments as allowed origins. To do so, make a POST request to the [`/me/allowedOrigins` ](https://docs.adyen.com/api-explorer/Management/1/post/me/allowedOrigins)endpoint.

#### Step 2: Generate a client key

When using Components or Drop-in to accept payments online, you need a client key for [client-side authentication](/development-resources/client-side-authentication).

To generate your client key, make a POST request to the `/me/generateClientKey` endpoint:

| Parameter name                      | Required                                                                                    | Description                                                                                                                                                 |
| ----------------------------------- | ------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- |
| *ADYEN\_MANAGEMENT\_API\_BASE\_URL* | ![-white\_check\_mark-](/user/data/smileys/emoji/white_check_mark.png "-white_check_mark-") | The base URL of the Management API: - For test environment, set to `management-test.adyen.com`.
- For live environment, set to `management-live.adyen.com`. |

```bash
curl --request POST 'https://{ADYEN_MANAGEMENT_API_BASE_URL}/v3/me/generateClientKey' \
--header 'Authorization: Bearer {ACCESS_TOKEN}' \
--header 'Content-Type: application/json'
```

#### Step 3: Retrieve your URL prefix

The URLs of our payment APIs have [account-specific prefixes](/development-resources/live-endpoints) for our live environment. To make API requests to process payments on behalf of your customer, you need their account-specific prefix.

To retrieve your customer's account-specific, make a GET request to the [/merchants/{merchantId}](https://docs.adyen.com/api-explorer/Management/latest/get/merchants/\(merchantId\)) endpoint. In the response, the `livePrefix` is in the `dataCenters` array:

The `merchantId` that you need to pass as a query parameter can be found in the [response of code exchange](/partners/oauth/integration#handle-the-response) for `accounts`.

```json
[...]
"dataCenters": [
    {
        "name": "",
        "livePrefix": ""
    }
],
[...]
```

## Tokenize payment details

**Scope identifier**: `psp.onlinepayment.tokenization:write`

Extends the functionality of the `psp.onlinepayment:write` scope by letting you [tokenize a shopper's payment details](/online-payments/tokenization) to process recurring payments.

Furthermore, the scope gives you access to the **Recurring** requests of the [Checkout API](https://docs.adyen.com/api-explorer/Checkout/70/overview), which let you list and delete stored tokens.

This scope does *not* let you tokenize payment details through the [Recurring API](https://docs.adyen.com/api-explorer/Recurring/latest/overview).

## Handle raw card data

**Scope identifier**: `psp.rawcarddata:write`

Extends the functionality of the `psp.onlinepayment:write` scope by enabling you to submit raw card data.

This scope is disabled by default and [requires PCI-DSS Self-Assessment Questionnaire D](/development-resources/pci-dss-compliance-guide?tab=api_only_4#online-payments). To enable, contact your account manager.

## Manage payment links

**Scope identifier**: `psp:paybylink:write`

Lets you create and update [payment links](/unified-commerce/pay-by-link).

To tokenize a shopper's payment details using payment link, you need also need:

* [Tokenize payment details](#tokenize-payment-details) scope
* [Make online payments](#make-online-payments) scope

In case you want to tokenize your shopper's payment details, you need the scope `psp.onlinepayment.tokenization:write` and `psp.onlinepayment:write` in order to make subsequent recurring payments.

## Modify account settings

**Scope identifier**: `psp.accountsettings:write`

Lets you modify merchant account settings.

Gives access to the following API request:

* GET `/merchants/{merchantId}`