OAuth Scopes

Scopes define what actions an application can perform on behalf of a user. When authorizing an app, users see exactly which permissions the app is requesting.
Principle of Least PrivilegeRequest only the scopes your application actually needs. Users are more likely to approve apps that request minimal permissions.

Short URL Scopes

ScopePermissionDescription
shorturl:readRead URLsList and view short URL details and metadata
shorturl:createCreate URLsShorten long URLs, set custom aliases
shorturl:updateEdit URLsModify destination URLs and settings
shorturl:deleteDelete URLsPermanently remove short URLs

QR Code Scopes

ScopePermissionDescription
qrcode:readRead QR CodesList and view QR code details
qrcode:createCreate QR CodesGenerate QR codes for URLs, text, WiFi, vCards
qrcode:updateEdit QR CodesModify QR code content and design
qrcode:deleteDelete QR CodesPermanently remove QR codes

Analytics Scopes

ScopePermissionDescription
analytics:readView AnalyticsAccess click statistics, traffic data, and performance metrics
Analytics access may require a paid plan. If a user’s plan doesn’t include analytics, requests using this scope will return a plan limitation error.

Domain Scopes

ScopePermissionDescription
domain:readView DomainsList custom domains and subdomains
domain:createAdd DomainsRegister new custom domains

Campaign Scopes

ScopePermissionDescription
campaign:readView CampaignsAccess campaign data and UTM parameters
campaign:createCreate CampaignsCreate and manage marketing campaigns

Scope Bundles

For convenience, you can request multiple scopes at once. Here are common bundles:

Read-Only Access

shorturl:read qrcode:read analytics:read
Allows viewing URLs, QR codes, and analytics without any write access.

Standard Integration

shorturl:read shorturl:create qrcode:read qrcode:create analytics:read
Recommended for most AI assistants and automation tools.

Full Access

shorturl:read shorturl:create shorturl:update shorturl:delete qrcode:read qrcode:create qrcode:update qrcode:delete analytics:read domain:read campaign:read campaign:create
Complete access to all JMPY features (use sparingly).

Legacy Scope Names

For backwards compatibility, we also support legacy scope names:
Legacy ScopeMaps To
url:readshorturl:read
url:createshorturl:create
url:updateshorturl:update
url:deleteshorturl:delete
qr:readqrcode:read
qr:createqrcode:create
qr:updateqrcode:update
qr:deleteqrcode:delete
readshorturl:read qrcode:read analytics:read
writeshorturl:create qrcode:create
We recommend using the new descriptive scope names for all new integrations. Legacy scopes are maintained for existing apps but may be deprecated in the future.

Scope Validation

When requesting scopes, the following validations apply:

1. Plan Limits

Scopes are checked against the user’s plan. If a user’s plan doesn’t include a feature: 
{
  "error": "invalid_scope",
  "error_description": "Your plan does not include analytics access"
}

2. App Registration

Apps can only request scopes they registered for. If you request a scope not in your app’s allowed list: 
{
  "error": "invalid_scope", 
  "error_description": "Scope 'campaign:create' not allowed for this client"
}
Users see all requested scopes on the authorization page and can choose to deny access if they’re uncomfortable with the permissions.

Requesting Scopes

In Authorization URL

Space-separated or plus-separated: 
https://jmpy.me/mcp/oauth/authorize?
  client_id=YOUR_CLIENT_ID&
  scope=shorturl:read+shorturl:create+qrcode:read

In Dynamic Registration

Array format in JSON: 
{
  "client_name": "My App",
  "redirect_uris": ["https://myapp.com/callback"],
  "scope": "shorturl:read shorturl:create qrcode:read qrcode:create"
}

Scope Display in UI

When users authorize your app, they see a friendly description of each scope:
ScopeUser Sees
shorturl:createCreate Short URLs - Shorten long URLs into tiny, memorable links with custom aliases
qrcode:createGenerate QR Codes - Create scannable QR codes for URLs, text, WiFi, and vCards
analytics:readView Analytics - Access click statistics, traffic data, and performance metrics

Pre-Registered App Scopes

Pre-registered OAuth clients (OpenAI, Claude, Zapier) have default scopes:
AppDefault Scopes
OpenAI/ChatGPTshorturl:read shorturl:create qrcode:read qrcode:create analytics:read
Claude (MCP)shorturl:read shorturl:create qrcode:read qrcode:create analytics:read
Zapiershorturl:read shorturl:create qrcode:read qrcode:create

Next Steps

OAuth Getting Started

Implement OAuth in your app

Endpoint Reference

Detailed endpoint documentation