API Scopes Reference

Complete reference for all 17 API scopes available in Salami Gateway. Scopes control what each API token can access, following the principle of least privilege.

Overview
How Scope Enforcement Works
Full Access Scope
Payments Scopes
SMS Scopes
eTIMS Scopes
KRA Portal Scopes
Scope Groups
Route-to-Scope Mapping

Overview

Each API token is assigned one or more scopes (also called abilities). Scopes determine which API endpoints the token can access.

Scope Count by Module

Module	Scopes	Total Routes
Payments	3	17
SMS	4	10
eTIMS	3	40+
KRA Portal	6	20
Total	17 (+ full access)	87+

How Scope Enforcement Works

Scope enforcement is handled by the CheckTokenScopes middleware on every API request:

Extract abilities -- The middleware reads the token's assigned scopes
Check for wildcard -- If the token has * (full access), the request is allowed
Match route to scope -- The current route name is checked against each scope's allowed routes
Grant or deny -- If a matching scope is found, access is granted; otherwise, a 403 is returned

Enforcement Flow

Request arrives with Bearer token
    |
    v
Is token valid? --[No]--> 401 Unauthorized
    |
    [Yes]
    v
Token has "*" ability? --[Yes]--> ALLOW
    |
    [No]
    v
Does any token ability include
this route? --[Yes]--> ALLOW
    |
    [No]
    v
403 Forbidden
{
  "error": "insufficient_scope",
  "required_route": "api.kra.checkers.pin",
  "your_scopes": ["payments:read"]
}

Error Response Format

{
  "success": false,
  "message": "Your API token does not have the required permissions to access this endpoint.",
  "error": "insufficient_scope",
  "required_route": "api.kra.checkers.pin",
  "your_scopes": ["payments:read", "payments:write"]
}

The error response includes required_route and your_scopes to help diagnose which scope is needed.

Full Access Scope

Scope	Name
`*`	Full Access

Grants unrestricted access to all API endpoints. Equivalent to having all 17 scopes assigned.

When to use: Administrator accounts, development/testing.

When not to use: Production integrations, third-party access, limited-purpose tokens.

Payments Scopes

`payments:read`

Name: Payments - Read

Description: View payment apps, transactions, balances, and statuses.

Allowed Routes:

Route Name	Endpoint	Description
`api.pay.myApps`	`GET /api/pay/apps`	List payment apps
`api.pay.getTransaction`	`GET /api/pay/{app}/transaction/{id}`	Get transaction details
`api.pay.queryTransactions`	`GET /api/pay/{app}/queryTransactions`	Search transactions
`api.pay.checkBalance`	`GET /api/pay/{app}/checkBalance`	Check account balance
`api.pay.getTransactions`	`GET /api/pay/{app}/fetchTransactions`	Fetch from provider
`api.pay.getTransactionStatus`	`GET /api/pay/{app}/getTransactionStatus/{id}`	Check status
`api.pay.checkPaymentRequestStatus`	`GET /api/pay/{app}/checkPaymentRequestStatus/{id}`	Check STK status
`api.pay.paymentInstructions`	`GET /api/pay/{app}/getInstructions/{id}`	Get payment instructions

`payments:write`

Name: Payments - Write

Description: Create and modify payment transactions.

Allowed Routes:

Route Name	Endpoint	Description
`api.pay.extractTransaction`	`POST /api/pay/{app}/extractTransaction`	Import transaction
`api.pay.registerUrls`	`POST /api/pay/{app}/registerUrls`	Register callback URLs
`api.pay.requestPayment`	`POST /api/pay/{app}/requestPayment`	STK Push
`api.pay.reverseTransaction`	`POST /api/pay/{app}/reverseTransaction/{id}`	Reverse transaction
`api.pay.sendAirtime`	`POST /api/pay/{app}/sendAirtime`	Send airtime
`api.pay.sendMoney`	`POST /api/pay/{app}/sendMoney`	B2C transfer
`api.pay.simulateTransaction`	`POST /api/pay/{app}/simulateTransaction`	Simulate (sandbox)
`api.pay.validateTransaction`	`POST /api/pay/{app}/validateTransaction`	Validate transaction

`payments:callback`

Name: Payments - Callbacks

Description: Handle payment provider callbacks.

Allowed Routes:

Route Name	Endpoint	Description
`api.pay.callback`	`POST /api/pay/{app}/callback/{action?}`	Provider callback

SMS Scopes

`sms:read`

Name: SMS - Read

Description: View SMS apps, messages, inbox, outbox, and calls.

Allowed Routes:

Route Name	Endpoint	Description
`api.sms.app`	`GET /api/sms/apps/{app}`	Get SMS app details
`api.sms.group`	`POST /api/sms/groups/{app}`	Get SMS group
`api.sms.app.inbox`	`GET /api/sms/apps/{app}/inbox`	Get inbox messages
`api.sms.app.outbox`	`GET /api/sms/apps/{app}/outbox`	Get sent messages
`api.sms.app.calls`	`GET /api/sms/apps/{app}/calls`	Get call logs
`api.sms.sms`	`GET /api/sms/sms/{id}`	Get single SMS

`sms:write`

Name: SMS - Send

Description: Send SMS messages to individuals and groups.

Allowed Routes:

Route Name	Endpoint	Description
`api.sms.app.send`	`POST /api/sms/apps/{app}/send`	Send single SMS
`api.sms.group.send`	`POST /api/sms/groups/{app}/send`	Send bulk SMS

`sms:sync`

Name: SMS - Sync

Description: Synchronize SMS data from mobile apps.

Allowed Routes:

Route Name	Endpoint	Description
`api.sms.app.msync`	`POST /api/sms/msync`	M-Sync protocol
`api.sms.app.smssync`	`POST /api/sms/smssync`	SMSSync protocol

`sms:receive`

Name: SMS - Receive

Description: Receive incoming SMS messages and callbacks.

Allowed Routes:

Route Name	Endpoint	Description
`api.sms.app.receive`	`POST /api/sms/apps/{app}/receive`	Receive SMS
`api.sms.app.callback`	`POST /api/sms/apps/{app}/callback`	SMS callback

eTIMS Scopes

`etims:read`

Name: eTims - Read

Description: View eTims device info, sales, purchases, stock, items, reports, and verifications.

Allowed Routes:

Route Name	Endpoint	Description
`api.kra.etims.device.info`	`GET /api/etims/device/info`	Device info
`api.kra.etims.sales.get`	`GET /api/etims/sales/{receipt}`	Get sale
`api.kra.etims.sales.list`	`GET /api/etims/sales`	List sales
`api.kra.etims.purchases.get`	`GET /api/etims/purchases/{inv}`	Get purchase
`api.kra.etims.purchases.list`	`GET /api/etims/purchases`	List purchases
`api.kra.etims.stock.current`	`GET /api/etims/stock/current`	Current stock
`api.kra.etims.items.get`	`GET /api/etims/items/{code}`	Get item
`api.kra.etims.codes.*`	`GET /api/etims/codes/*`	Code tables
`api.kra.etims.notices`	`GET /api/etims/notices`	KRA notices
`api.kra.etims.reports.*`	`GET /api/etims/reports/*`	Reports
`api.kra.etims.health`	`GET /api/etims/health`	Health check
`api.kra.etims.credit_notes.list`	`GET /api/etims/credit-notes`	List credit notes
`api.kra.etims.suppliers.*`	`GET /api/etims/suppliers/*`	Suppliers
`api.kra.etims.reverse_invoices.*`	`GET /api/etims/reverse-invoices/*`	Reverse invoices
`api.kra.etims.verifications.*`	`GET /api/etims/verifications`	Verifications
`api.kra.etims.customers.*`	`GET /api/etims/customers/*`	Customers
`api.kra.etims.business.*`	`GET /api/etims/business/*`	Business info

`etims:write`

Name: eTims - Write

Description: Submit sales, credit notes, reverse invoices, purchases, stock, items, customers, and suppliers.

Allowed Routes:

Route Name	Endpoint	Description
`api.kra.etims.device.initialize`	`POST /api/etims/device/initialize`	Initialize device
`api.kra.etims.sales.submit`	`POST /api/etims/sales/submit`	Submit sale
`api.kra.etims.sales.submit_with_items`	`POST /api/etims/sales/submit-with-items`	Submit with items
`api.kra.etims.sales.cancel`	`POST /api/etims/sales/{receipt}/cancel`	Cancel sale
`api.kra.etims.purchases.submit`	`POST /api/etims/purchases/submit`	Submit purchase
`api.kra.etims.stock.movement`	`POST /api/etims/stock/movement`	Stock movement
`api.kra.etims.items.register`	`POST /api/etims/items/register`	Register item
`api.kra.etims.items.update`	`PUT /api/etims/items/{code}`	Update item
`api.kra.etims.notices.acknowledge`	`POST /api/etims/notices/{id}/acknowledge`	Ack notice
`api.kra.etims.credit_notes.submit`	`POST /api/etims/credit-notes/submit`	Submit credit note
`api.kra.etims.credit_notes.express`	`POST /api/etims/credit-notes/express`	Express credit note
`api.kra.etims.suppliers.create`	`POST /api/etims/suppliers`	Create supplier
`api.kra.etims.reverse_invoices.submit`	`POST /api/etims/reverse-invoices/submit`	Submit reverse invoice
`api.kra.etims.customers.create`	`POST /api/etims/customers`	Create customer
`api.kra.etims.customers.update`	`PUT /api/etims/customers/{id}`	Update customer

`etims:callback`

Name: eTims - Callbacks

Description: Handle eTims/KRA callbacks and webhooks.

Allowed Routes:

Route Name	Endpoint	Description
`api.kra.etims.callback`	`POST /api/etims/callback`	KRA callback

KRA Portal Scopes

`kra:apps`

Name: KRA - App Management

Allowed Routes:

Route Name	Endpoint	Description
`api.kra.apps`	`GET /api/kra/apps`	List KRA apps
`api.kra.apps.test`	`POST /api/kra/apps/{id}/test`	Test credentials

`kra:checkers`

Name: KRA - Checkers

Allowed Routes (13 endpoints):

Route Name	Endpoint
`api.kra.checkers.pin`	`POST /api/kra/checkers/pin`
`api.kra.checkers.pin_by_id`	`POST /api/kra/checkers/pin-by-id`
`api.kra.checkers.tax_obligations`	`POST /api/kra/checkers/tax-obligations`
`api.kra.checkers.tcc`	`POST /api/kra/checkers/tcc`
`api.kra.checkers.invoice`	`POST /api/kra/checkers/invoice`
`api.kra.checkers.declaration`	`POST /api/kra/checkers/declaration`
`api.kra.checkers.it_exemption`	`POST /api/kra/checkers/it-exemption`
`api.kra.checkers.vat_exemption`	`POST /api/kra/checkers/vat-exemption`
`api.kra.checkers.import_cert_number`	`POST /api/kra/checkers/import-cert-number`
`api.kra.checkers.import_cert_pin`	`POST /api/kra/checkers/import-cert-pin`
`api.kra.checkers.excise_pin`	`POST /api/kra/checkers/excise-pin`
`api.kra.checkers.excise_number`	`POST /api/kra/checkers/excise-number`
`api.kra.checkers.tax_service_office`	`POST /api/kra/checkers/tax-service-office`

`kra:payments`

Name: KRA - PRN Generation

Allowed Routes:

Route Name	Endpoint
`api.kra.payments.it_withholding`	`POST /api/kra/payments/it-withholding`
`api.kra.payments.rental_withholding`	`POST /api/kra/payments/rental-withholding`
`api.kra.payments.vat_withholding`	`POST /api/kra/payments/vat-withholding`

`kra:compliance`

Name: KRA - Tax Compliance

Allowed Routes:

Route Name	Endpoint
`api.kra.compliance.tcc_application`	`POST /api/kra/compliance/tcc-application`

`kra:registration`

Name: KRA - PIN Registration

Allowed Routes:

Route Name	Endpoint
`api.kra.registration.pin`	`POST /api/kra/registration/pin`

`kra:returns`

Name: KRA - Tax Returns

Allowed Routes:

Route Name	Endpoint
`api.kra.returns.tot`	`POST /api/kra/returns/tot`
`api.kra.returns.nil`	`POST /api/kra/returns/nil`

Scope Groups

Pre-configured scope combinations for common use cases. Use these as templates when creating tokens.

Group	Scopes	Use Case
Payments Full	`payments:read`, `payments:write`, `payments:callback`	Full payment processing
SMS Full	`sms:read`, `sms:write`, `sms:sync`, `sms:receive`	Full SMS gateway
eTIMS Full	`etims:read`, `etims:write`, `etims:callback`	Full eTIMS integration
KRA Full	`kra:apps`, `kra:checkers`, `kra:payments`, `kra:compliance`, `kra:registration`, `kra:returns`	Full KRA portal
KRA Read Only	`kra:apps`, `kra:checkers`	KRA validation/lookup only
Read Only	`payments:read`, `sms:read`, `etims:read`, `kra:apps`, `kra:checkers`	Dashboards, reporting
Send Only	`payments:write`, `sms:write`	Outbound payments and messaging
Full Access	All 17 scopes	Complete unrestricted access

Choosing Scopes

Integration Type	Recommended Scopes
POS System	`etims:read`, `etims:write`
Accounting Software	`etims:read`, `kra:checkers`, `kra:payments`
Payment Gateway	`payments:read`, `payments:write`, `payments:callback`
Bulk SMS Tool	`sms:write`
Reporting Dashboard	`payments:read`, `sms:read`, `etims:read`
KRA Agent Software	`kra:apps`, `kra:checkers`, `kra:registration`, `kra:returns`, `kra:compliance`
Mobile App	`payments:read`, `sms:read`

Route-to-Scope Mapping

Quick lookup -- given a 403 error with required_route, find the needed scope:

Route Prefix	Required Scope
`api.pay.myApps`, `api.pay.get`, `api.pay.check`, `api.pay.query*`	`payments:read`
`api.pay.extract`, `api.pay.register`, `api.pay.request`, `api.pay.reverse`, `api.pay.send`, `api.pay.simulate`, `api.pay.validate*`	`payments:write`
`api.pay.callback`	`payments:callback`
`api.sms.app`, `api.sms.group`, `api.sms.app.inbox`, `api.sms.app.outbox`, `api.sms.app.calls`, `api.sms.sms`	`sms:read`
`api.sms.app.send`, `api.sms.group.send`	`sms:write`
`api.sms.app.msync`, `api.sms.app.smssync`	`sms:sync`
`api.sms.app.receive`, `api.sms.app.callback`	`sms:receive`
`api.kra.etims..get`, `api.kra.etims..list`, `api.kra.etims.health`, `api.kra.etims.reports.*`	`etims:read`
`api.kra.etims..submit`, `api.kra.etims..create`, `api.kra.etims.*.update`, `api.kra.etims.device.initialize`	`etims:write`
`api.kra.etims.callback`	`etims:callback`
`api.kra.apps`, `api.kra.apps.test`	`kra:apps`
`api.kra.checkers.*`	`kra:checkers`
`api.kra.payments.*`	`kra:payments`
`api.kra.compliance.*`	`kra:compliance`
`api.kra.registration.*`	`kra:registration`
`api.kra.returns.*`	`kra:returns`

Salami Gateway

API Scopes Reference

Table of Contents

Overview

Scope Count by Module

How Scope Enforcement Works

Enforcement Flow

Error Response Format

Full Access Scope

Payments Scopes

`payments:read`

`payments:write`

`payments:callback`

SMS Scopes

`sms:read`

`sms:write`

`sms:sync`

`sms:receive`

eTIMS Scopes

`etims:read`

`etims:write`

`etims:callback`

KRA Portal Scopes

`kra:apps`

`kra:checkers`

`kra:payments`

`kra:compliance`

`kra:registration`

`kra:returns`

Scope Groups

Choosing Scopes

Route-to-Scope Mapping

Related Documentation

⚡ API Explorer