admins, editors, billing — instead of granting scopes to each user one by one.
Prerequisites
- A Prelude account with access to the Auth API
- An Application ID (
appID) — see Applications - Your Management API key for backend calls
- One or more allowed scopes declared on the application — see Scopes
How it works
A group owns a set of scopes, and every scope a group owns must be one of the application’s allowed scopes. Users are assigned to groups; a user can belong to several groups. Two things happen at different times:- At session creation (login), the user’s current group membership is snapshotted onto the session.
- At every access-token mint (login and refresh), each group on the session is looked up in the current application configuration and the scopes of the matching groups are merged into the token’s
scopeclaim — alongside the user’s own scopes.
Membership is pinned at session creation. Adding or removing a user from a group does not change the scopes of their already-active sessions — it takes effect the next time they log in. Changing the scopes a group owns, on the other hand, is reflected on the next access-token refresh of every existing session, because group scopes are resolved from the live configuration at mint time.
Configure groups
Declare the scopes on your application
A group can only own scopes the application already allows. Add them first:
Create a group
Create a group and give it a subset of the allowed scopes. A group name is unique per application and may contain letters, digits, If any scope is not in the application’s allowed scopes, the request fails with
- and _.scope_not_allowed and lists every offending scope.Assign users to the group
Assign a user to the group. The call is idempotent — assigning a user who is already a member succeeds without changing anything.The next time the user logs in, their access token’s
scope claim will include read and write.(Optional) Expose group names as a claim
Group scopes always land in the This adds e.g.
scope claim. If you also want the group names in the token, map the groups input in your claims mapping:"roles": ["admins"] to the token. Group names are resolved from the user’s profile, so this claim stays in sync with membership changes on the next claims recomputation.Update or remove a group
Replace a group’s scopes withPUT /config/groups/{groupName}; the new set takes effect on the next access-token mint of every session that belongs to the group.
DELETE /users/{userID}/groups/{groupName} (idempotent), or delete the group definition entirely with DELETE /config/groups/{groupName}. Once a group is deleted, its scopes are no longer granted at mint time.