> ## Documentation Index
> Fetch the complete documentation index at: https://developer.hellgate.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate to your Specter instance with a signed JWT and the right scopes.

Once your Specter instance is provisioned (see [Plans & Access](/products/specter/plans-and-access)), you reach
the API at your dedicated instance URL, where `{instance}` is your unique instance slug and `eu1` is the current
environment:

```
https://{instance}.eu1.on-hellgate.cloud
```

## Authentication

Every API request must carry an OAuth2 access token — a signed JSON Web Token (JWT) — in the
`Authorization` header:

```http theme={null}
Authorization: Bearer <access_token>
```

You request the token with the client-credentials grant — see [Authentication](/platform/authentication) for the
token endpoint, audiences, and scopes. Your instance's audience is its instance name (for example,
`my-lovely-specter-42`).

## Scopes

Each endpoint requires a specific scope. Request only the scopes a given integration needs through the
`scope` parameter when you [request a token](/platform/authentication).

| Scope                      | Grants                                                                                                                                                                                                                  |
| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `decisions:create`         | `POST /api/decisions`                                                                                                                                                                                                   |
| `decisions:read`           | `GET /api/decisions/{id}`                                                                                                                                                                                               |
| `decisions:write`          | `POST /api/decisions/{id}/resolve`                                                                                                                                                                                      |
| `events:create`            | `POST /api/events`                                                                                                                                                                                                      |
| `events:read`              | `GET /api/events/{id}`                                                                                                                                                                                                  |
| `interceptors:execute`     | `POST /api/interceptors/{ref}`                                                                                                                                                                                          |
| `admin:rulesets:read`      | `GET /api/admin/rulesets`<br />`GET /api/admin/rulesets/{id}`                                                                                                                                                           |
| `admin:rulesets:create`    | `POST /api/admin/rulesets`                                                                                                                                                                                              |
| `admin:rulesets:write`     | `PATCH /api/admin/rulesets/{id}`<br />`POST /api/admin/rulesets/{id}/activate`<br />`POST /api/admin/rulesets/{id}/rollback`                                                                                            |
| `admin:integrations:read`  | `GET /api/admin/integrations`<br />`GET /api/admin/integrations/{id}`                                                                                                                                                   |
| `admin:integrations:write` | `POST /api/admin/integrations`<br />`PATCH /api/admin/integrations/{id}`<br />`DELETE /api/admin/integrations/{id}`                                                                                                     |
| `admin:interceptors:read`  | `GET /api/admin/interceptors`<br />`GET /api/admin/interceptors/{id}`                                                                                                                                                   |
| `admin:interceptors:write` | `POST /api/admin/interceptors`<br />`PATCH /api/admin/interceptors/{id}`<br />`POST /api/admin/interceptors/{id}/activate`<br />`POST /api/admin/interceptors/{id}/rollback`<br />`DELETE /api/admin/interceptors/{id}` |
| `admin:blacklist:read`     | `GET /api/admin/blacklist`<br />`GET /api/admin/blacklist/{id}`                                                                                                                                                         |
| `admin:blacklist:write`    | `POST /api/admin/blacklist`<br />`DELETE /api/admin/blacklist/{id}`                                                                                                                                                     |

<Note>
  Runtime scopes (`decisions:*`, `events:*`, `interceptors:execute`) belong to your payment integration.
  The `admin:*` scopes are for configuration and operations, and should be issued to operator or back-office clients only.
</Note>

## Next steps

<Card title="API" icon="code" href="/products/specter/integration/via-api">
  Send your first decision request.
</Card>
