Skip to main content
Humanity Protocol uses a granular scope model to control access to user data. Apps request scopes during OAuth authorization, and users grant or deny access. Scopes determine which presets and data fields your application can access.

Scope Hierarchy

Scopes are organized into two levels:
  1. Category scopes - Grant access to low/medium sensitivity fields in a category
  2. Field-level scopes - Required for high/critical sensitivity fields
identity:read          → Basic identity (email, phone, country, wallet)
├── identity:date_of_birth  → DOB, age, age verification
├── identity:legal_name     → Full legal name
├── identity:address_postal_code → Postal/ZIP code
└── identity:address_full   → Complete address

Available Scopes

Category Scopes

ScopeDescriptionFields Included
identity:readBasic identity datahumanity_uuid, is_human, country_of_residence, email, phone, wallet_address, nationality
kyc:readKYC verification statuskyc_passed, kyc_last_updated_at, document_country, document_expiry_date
financial:readGeneral financial dataTrading frequency, exchange balances

Field-Level Scopes (High Sensitivity)

ScopeDescriptionFields Included
identity:date_of_birthDate of birth and derived fieldsdate_of_birth, age, age_over_18, age_over_21
identity:legal_nameLegal name from ID verificationlegal_name
identity:address_postal_codePostal/ZIP codeaddress_postal_code
identity:address_fullComplete verified addressaddress_full
kyc:document_numberID document numberdocument_number
financial:net_worthTotal net worthnet_worth_total, net_worth_above_10k, net_worth_above_100k
financial:bank_balanceBank account balancesbank_balance_total
financial:loan_balanceOutstanding loansloan_balance_total

Profile Scopes

ScopeDescription
openidRequired for OpenID Connect ID tokens
profile.fullComplete user profile access
data.readRaw data record access

Preset to Scope Mapping

Each preset requires a specific scope. Here’s the mapping:

Identity Presets

PresetRequired Scope
humanity_uuid, humanity_score, is_humanidentity:read
country_of_residence, residency_region, nationalityidentity:read
email, phone, wallet_addressidentity:read
palm_verified, social_accountsidentity:read
date_of_birth, age, age_over_18, age_over_21identity:date_of_birth
legal_nameidentity:legal_name
address_postal_codeidentity:address_postal_code
address_fullidentity:address_full

KYC Presets

PresetRequired Scope
kyc_passed, kyc_last_updated_atkyc:read
document_country, document_expiry_datekyc:read
document_numberkyc:document_number

Financial Presets

PresetRequired Scope
net_worth_above_10k, net_worth_above_100k, net_worth_totalfinancial:net_worth
bank_balance_totalfinancial:bank_balance
loan_balance_totalfinancial:loan_balance

Requesting Scopes

Request scopes during OAuth authorization: 
const { url } = sdk.buildAuthUrl({
  scopes: ['identity:read', 'identity:date_of_birth', 'kyc:read'],
  prompt: 'consent',
});
Or in the raw authorization URL: 
GET /oauth/authorize?
  client_id=your_client_id&
  redirect_uri=https://yourapp.com/callback&
  response_type=code&
  scope=identity:read%20identity:date_of_birth%20kyc:read&
  code_challenge=...&
  code_challenge_method=S256

Scope Validation

When accessing presets or using the query engine, the API validates that:
  1. The access token has the required scope for the requested data
  2. The user has consented to share that data
  3. The credential is valid and not expired
If validation fails, you’ll receive an E4003 error: 
{
  "error": "insufficient_scope",
  "error_code": "E4003",
  "error_description": "Token does not have the required scope: identity:date_of_birth"
}

Sensitivity Levels

Scopes align with data sensitivity levels:
SensitivityDescriptionExample Scopes
lowMinimal privacy impactDerived fields like age, residency_region
mediumStandard PIIidentity:read, kyc:read
highSensitive PIIidentity:date_of_birth, identity:legal_name, financial:*
criticalHighly sensitiveTax IDs, SSN (restricted access)

Best Practices

  1. Request minimal scopes - Only request what you need
  2. Explain why - Use clear consent text explaining data usage
  3. Handle scope downgrade - Users may grant fewer scopes than requested
  4. Check granted_scopes - The token response includes actual granted scopes
const token = await sdk.exchangeCodeForToken({ code, codeVerifier });

// Check what was actually granted
if (!token.granted_scopes.includes('identity:date_of_birth')) {
  // Handle case where age verification isn't available
}

Discovery

Fetch available scopes from the discovery endpoint: 
curl https://api.humanity.org/v2/.well-known/hp-configuration
The response includes scopes_supported and scopes_catalog with detailed metadata for each scope.