Toast · OAuth Scopes

Toast OAuth Scopes

OAuth 2.0 derived

Toast publishes 22 OAuth 2.0 scopes via the clientCredentials flow. Scopes are the fine-grained permissions an application requests at authorization time to act against the Toast API on a user’s behalf.

Tokens are issued from https://toast-api-server/authentication/v1/authentication/login.

This index is generated from the provider’s OpenAPI security definitions (and, where available, its documented scope reference) and refreshes on every APIs.io network build. Browse every provider’s scopes at scopes.apis.io.

RestaurantsPoint Of SalePaymentsOnline OrderingDeliveryLoyaltyGift CardsMenusOrdersKitchenLaborSchedulingInventoryHospitalityPartner Integrations
Scopes: 22 Flows: clientCredentials Method: derived

OAuth endpoints

Token URL
https://toast-api-server/authentication/v1/authentication/login
Flows
clientCredentials

Scopes (22)

ScopeDescriptionFlows
delivery_info.address:read Allows reading guest delivery address information from the orders API. Optionally used in conjunction with the `orders:read` scope to return the `deliveredDate`, `dispatchedDate`, `deliveryEmployee`, and `deliveryState` fields as part of the `deliveryInfo` field on the Order object. clientCredentials
employees.tax-identifier-masked:read Allows reading masked tax identifier (SSN) information for employees via expand parameter. clientCredentials
employees.tax-identifier-unmasked:read Allows reading full unmasked tax identifier (SSN) information for employees via expand parameter. clientCredentials
guest.pi:read Allows reading guest and curbside pickup information from the orders API. Optionally used in conjunction with the `orders:read` scope to return the `email` and `phone` fields as part of the `checks[].customer` object. clientCredentials
labor.employees:read Allows reading employee information from the labor API. clientCredentials
labor.employees:write Allows updating employee information in the labor API. clientCredentials
labor.jobs:write Allows updating job information in the labor API. clientCredentials
labor.shifts:write Allows updating shift information in the labor API. clientCredentials
labor:read Allows reading all data except employees from the labor API. clientCredentials
menus:read Allows reading from menus API V2. clientCredentials
orders.channel:read Allows API clients that submit orders to the Toast platform to read from the orders API. To read orders, the API client must have both the orders:read scope and the orders.channel:read scope. API clients that have the orders.channel:read scope can only read the orders that they submitted. They cannot read orders from any other source. clientCredentials
orders.channel:void
orders.delivery_info:write Allows updating delivery information from the orders API. clientCredentials
orders.discounts:write Allows adding discounts to orders using the orders API. clientCredentials
orders.items:write Allows adding items to orders using the orders API. clientCredentials
orders.orders:write Allows posting orders orders using the orders API. clientCredentials
orders.payments:write Allows adding payments and tips to existing orders using the orders API. clientCredentials
orders:read Allows reading from the orders API with the exception of guest information. If your API client creates orders, then to read orders, it must have both the orders:read scope and the orders.channel:read scope. clientCredentials
orders:void
restaurants:read Allows reading from the restaurants API. clientCredentials
stock:read Allows reading from the stock API. clientCredentials
stock:write Allows updating stock status for menu items (and modifier option item references) using the stock API. clientCredentials

Source

OAuth Scopes

toast-tab-scopes.yml Raw ↑
generated: '2026-07-11'
method: derived
source: openapi/toast-tab-labor-openapi.yml, openapi/toast-tab-menus-openapi.yml, openapi/toast-tab-orders-openapi.yml,
  openapi/toast-tab-partners-openapi.yml, openapi/toast-tab-restaurants-openapi.yml, openapi/toast-tab-stock-openapi.yml
schemes:
- name: oauth2
  source: openapi/toast-tab-labor-openapi.yml
  flows:
  - flow: clientCredentials
    tokenUrl: https://toast-api-server/authentication/v1/authentication/login
  description: "Access to Toast APIs, specific endpoints, \nand specific API endpoint operations\
    \ is \ncontrolled by the scopes that are associated \nwith your API account. \nA full reference\
    \ for Toast API scopes and \ntheir capabilities can be found in the\n[_Toast Developer Guide_](https://doc.toasttab.com/doc/devguide/apiScopes.html)."
- name: oauth2
  source: openapi/toast-tab-menus-openapi.yml
  flows:
  - flow: clientCredentials
    tokenUrl: https://toast-api-server/authentication/v1/authentication/login
  description: "Access to Toast APIs, specific endpoints, \nand specific API endpoint operations\
    \ is \ncontrolled by the scopes that are associated \nwith your API account. \n\nA full\
    \ reference for Toast API scopes and \ntheir capabilities can be found in the\n[_Toast Developer\
    \ Guide_](https://doc.toasttab.com/doc/devguide/apiScopes.html)."
- name: oauth2
  source: openapi/toast-tab-orders-openapi.yml
  flows:
  - flow: clientCredentials
    tokenUrl: https://toast-api-server/authentication/v1/authentication/login
  description: "Access to Toast APIs, specific endpoints, \nand specific API endpoint operations\
    \ is \ncontrolled by the scopes that are associated \nwith your API account. \n\nA full\
    \ reference for Toast API scopes and \ntheir capabilities can be found in the\n[_Toast Developer\
    \ Guide_](https://doc.toasttab.com/doc/devguide/apiScopes.html)."
- name: oauth2
  source: openapi/toast-tab-partners-openapi.yml
  flows:
  - flow: clientCredentials
    tokenUrl: https://toast-api-server/authentication/v1/authentication/login
  description: "Access to Toast APIs, specific endpoints, \nand specific API endpoint operations\
    \ is \ncontrolled by the scopes that are associated \nwith your API account. \nA full reference\
    \ for Toast API scopes and \ntheir capabilities can be found in the\n[_Toast Developer Guide_](https://doc.toasttab.com/doc/devguide/apiScopes.html)."
- name: oauth2
  source: openapi/toast-tab-restaurants-openapi.yml
  flows:
  - flow: clientCredentials
    tokenUrl: https://toast-api-server/authentication/v1/authentication/login
  description: "Access to Toast APIs, specific endpoints, \nand specific API endpoint operations\
    \ is \ncontrolled by the scopes that are associated \nwith your API account. \nA full reference\
    \ for Toast API scopes and \ntheir capabilities can be found in the\n[_Toast Developer Guide_](https://doc.toasttab.com/doc/devguide/apiScopes.html)."
- name: oauth2
  source: openapi/toast-tab-stock-openapi.yml
  flows:
  - flow: clientCredentials
    tokenUrl: https://toast-api-server/authentication/v1/authentication/login
  description: "Access to Toast APIs, specific endpoints, \nand specific API endpoint operations\
    \ is \ncontrolled by the scopes that are associated \nwith your API account. \n\nA full\
    \ reference for Toast API scopes and \ntheir capabilities can be found in the\n[_Toast Developer\
    \ Guide_](https://doc.toasttab.com/doc/devguide/apiScopes.html)."
scopes:
- scope: delivery_info.address:read
  description: |-
    Allows reading guest delivery address information from the orders API.
    Optionally used in conjunction with the `orders:read` scope to return
    the `deliveredDate`, `dispatchedDate`, `deliveryEmployee`, and `deliveryState`
    fields as part of the `deliveryInfo` field on the Order object.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-orders-openapi.yml
- scope: employees.tax-identifier-masked:read
  description: |-
    Allows reading masked tax identifier (SSN) information for employees via
    expand parameter.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-labor-openapi.yml
- scope: employees.tax-identifier-unmasked:read
  description: |-
    Allows reading full unmasked tax identifier (SSN) information for employees
    via expand parameter.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-labor-openapi.yml
- scope: guest.pi:read
  description: |-
    Allows reading guest and curbside pickup information from the orders API.
    Optionally used in conjunction with the `orders:read` scope to return the
    `email` and `phone` fields as part of the `checks[].customer` object.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-orders-openapi.yml
- scope: labor.employees:read
  description: Allows reading employee information from the labor API.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-labor-openapi.yml
- scope: labor.employees:write
  description: Allows updating employee information in the labor API.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-labor-openapi.yml
- scope: labor.jobs:write
  description: Allows updating job information in the labor API.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-labor-openapi.yml
- scope: labor.shifts:write
  description: Allows updating shift information in the labor API.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-labor-openapi.yml
- scope: labor:read
  description: Allows reading all data except employees from the labor API.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-labor-openapi.yml
- scope: menus:read
  description: Allows reading from menus API V2.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-menus-openapi.yml
- scope: orders.channel:read
  description: |-
    Allows API clients that submit orders to the Toast platform to read from the orders API.

    To read orders, the API client must have both the orders:read scope and the orders.channel:read scope.

    API clients that have the orders.channel:read scope can only read the orders that they submitted. They cannot
    read orders from any other source.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-orders-openapi.yml
- scope: orders.channel:void
  sources:
  - openapi/toast-tab-orders-openapi.yml
- scope: orders.delivery_info:write
  description: Allows updating delivery information from the orders API.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-orders-openapi.yml
- scope: orders.discounts:write
  description: Allows adding discounts to orders using the orders API.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-orders-openapi.yml
- scope: orders.items:write
  description: Allows adding items to orders using the orders API.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-orders-openapi.yml
- scope: orders.orders:write
  description: Allows posting orders orders using the orders API.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-orders-openapi.yml
- scope: orders.payments:write
  description: Allows adding payments and tips to existing orders using the orders API.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-orders-openapi.yml
- scope: orders:read
  description: "Allows reading from the orders API with the exception of guest information.\n\
    \nIf your API client creates orders, then to read orders, it must have both the orders:read\
    \ scope and the \norders.channel:read scope."
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-orders-openapi.yml
- scope: orders:void
  sources:
  - openapi/toast-tab-orders-openapi.yml
- scope: restaurants:read
  description: Allows reading from the restaurants API.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-restaurants-openapi.yml
- scope: stock:read
  description: Allows reading from the stock API.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-stock-openapi.yml
- scope: stock:write
  description: Allows updating stock status for menu items (and modifier option item references)
    using the stock API.
  flows:
  - clientCredentials
  sources:
  - openapi/toast-tab-stock-openapi.yml