Skip to main content
Scopes declare what a authorises. Each scope is an -format capability string carried in the signed PurchaseIntent.scopes array and surfaced to partner integrations as the scopes claim on the exchanged . A Stamped Mandate is delivered over the API as a PINT (header x-sumvin-pint-token); the scope catalog below carries the same identifiers whether you read it as a Stamped Mandate or as its underlying PINT. The scope grammar is a specialisation of the broader Sumvin Resource Identifier family — same sr:{region}:… scheme, different shape. Scopes support per-scope parameters (amount caps, asset, provider, time windows) as URL query strings, giving partners fine-grained capability envelopes without expanding the scope vocabulary.
Every scope in this catalog maps one-to-one to an existing authenticated user-facing capability in the Sumvin API. When a Stamped Mandate carrying a scope is exchanged for a JWT, the scopes claim is exactly what the partner sees.

Grammar

sr:{region}:pint:{domain}:{action}[?{key}={value}&{key}={value}]
SegmentDescriptionExamples
srSRI scheme prefixalways sr
regionGeographic region codeus, eu, gb
pintLiteral disambiguator — marks this as a scope SRI (see SRI reference)always pint
domainCapability domainidentity, spend, accounts, transactions, cards, personalization, perpetual
actionAction within the domainread, execute, manage, link, search, …
?{k=v}…Optional parameters (amount caps, asset, provider, time)?max=10000000&asset=USDC@sei
Exactly five fixed segments — scheme, region, pint, domain, action. Query params are optional and delimited by ? with & between pairs.

Parameter Conventions

ConventionFormExample
Numeric capsBase units of the referenced assetmax=10000000 = 10 USDC (6 decimals)
Asset + chain contextSYMBOL@context where context is a chain slug or fiatasset=USDC@sei, asset=USD@fiat
Provider choiceLowercase alphanumeric, drawn from a fixed enumprovider=meld
TimestampsUnix secondsfrom_date=1720000000
Time windowsUnix seconds (window length)time=2592000 (30 days)
Values containing &, =, or whitespace must be percent-encoded. The scope string is always signed verbatim as part of the Stamped Mandate payload, so any encoding applied at sign time is preserved end-to-end.

Verification Tier Mapping

Scopes drive the verification tier of the exchanged JWT.
  • Standard (Tier 1) — JWT alone is sufficient. Partner validates JWT signature, audience, expiry.
  • Enhanced (Tier 2) — JWT + the original Stamped Mandate signature and payload headers (X-Pint-Signature, X-Pint-Payload).
In the MVP catalog, only sr:us:pint:spend:execute triggers Enhanced tier. All 13 other scopes are Standard. If a Stamped Mandate carries any Enhanced-tier scope, the entire JWT is issued at Enhanced tier.

MVP Catalog

#ScopeDomainGrantsRequired ParamsOptional ParamsTierKYC
1sr:us:pint:identity:kyc_statusidentityAttest current KYC statusStd
2sr:us:pint:identity:kyc_readidentityRead KYC applicant PII + documentsdoc_typeStd
3sr:us:pint:identity:proof_of_personhoodidentityAttest user is a unique humanStd
4sr:us:pint:identity:age_over_18identityAttest user is 18 or olderStd
5sr:us:pint:spend:executespendOn-chain spend via Safe / IPA / strategy runmax, asset, chain_idEnh
6sr:us:pint:spend:rampspendFiat on-ramp via hosted widgetmax, asset, currencyStd
7sr:us:pint:perpetual:searchperpetualCreate IPA + enable ErrandstimemaxStd
8sr:us:pint:accounts:readaccountsRead linked bank accounts + balancesStd
9sr:us:pint:accounts:linkaccountsLink bank accounts; exchange link / processor tokensproviderStd
10sr:us:pint:accounts:transferaccountsFiat → wallet transfer (reserved, no enforcement site yet)max, asset, currencyStd
11sr:us:pint:transactions:readtransactionsRead transaction history + receiptsfrom_date, to_dateStd
12sr:us:pint:personalization:readpersonalisationRead insights, rules, budgetsStd
13sr:us:pint:cards:readcardsRead card details (last4, brand, status)Std
14sr:us:pint:cards:managecardsFreeze/unfreeze card; change funding walletStd

Scope Details

Identity

sr:us:pint:identity:kyc_status

Attests the user’s current KYC verification status. The JWT’s kyc_status claim carries the canonical value (pending, verified, rejected, …) for partners to read directly.

sr:us:pint:identity:kyc_read

  • Endpoint gated: SIS /v0/users/{id}/kyc + /document
  • Optional params: doc_type (e.g. passport, id_card)
  • Tier: Standard · KYC required:
Grants SIS partners dual-authenticated read access to the user’s KYC applicant PII and document images. See Getting User KYC Data for the full SIS flow.

sr:us:pint:identity:proof_of_personhood

  • Surface: JWT attestation claim
  • Params: none
  • Tier: Standard · KYC required:
Attests the user is a unique, KYC-verified human. Partners can consume this as a binary gate without needing the underlying KYC details.

sr:us:pint:identity:age_over_18

  • Surface: JWT attestation claim
  • Params: none
  • Tier: Standard · KYC required:
Attests the user is 18 or older. Commonly used for age-gated content and services that need a boolean signal without the user’s date of birth.

Spend

sr:us:pint:spend:execute

  • Endpoints gated: POST /v0/safe/rpc, IPA auto-execute, strategy run PINT linking
  • Optional params: max (base units), asset (SYMBOL@context), chain_id
  • Tier: Enhanced · KYC required:
  • Example: sr:us:pint:spend:execute?max=10000000&asset=USDC@sei&chain_id=1329
Authorises on-chain spend on behalf of the user. This is the only scope that triggers Enhanced verification — partners must verify the original Stamped Mandate signature, not just the JWT. When max + asset are set, the API enforces them against the actual transaction amount and asset at execution time.

sr:us:pint:spend:ramp

  • Endpoint gated: POST /v0/ramp/sessions (hosted on-ramp widget)
  • Optional params: max, asset, currency
  • Tier: Standard · KYC required:
  • Example: sr:us:pint:spend:ramp?max=50000&currency=USD
Authorises a fiat-to-crypto ramp session via the hosted on-ramp widget. max and currency are enforced against the ramp session request when present.

Perpetual

sr:us:pint:perpetual:search

  • Endpoints gated: POST /v0/user/ipa/, IPA strategy enrolment
  • Required params: time (window length in unix seconds)
  • Optional params: max (base-unit purchase ceiling)
  • Tier: Standard · KYC required:
  • Example: sr:us:pint:perpetual:search?time=2592000&max=5000000 (30-day window, $5 USDC cap)
Authorises the creation of an Intelligent Purchase Authorisation (IPA) and enrolment into Errand strategies. The time param is required on the scope string. API-side enforcement of time against the IPA’s lifecycle window is deferred pending the IPA schema gaining an explicit window field — today the scope’s presence is validated but the window is not yet bound.

Accounts

sr:us:pint:accounts:read

Read the user’s linked bank accounts and current balances. Used by delegated agent flows that need account context without the ability to initiate movement. Link a new bank account via the hosted bank-linking provider.

sr:us:pint:accounts:transfer

  • Endpoint gated: (reserved — route TBD)
  • Optional params: max, asset, currency
  • Tier: Standard · KYC required:
Reserved. The registry entry and parser support are in place so partner clients can begin requesting this scope, but there is no enforcement site in the current release — the transfer route is not yet live.

Transactions

sr:us:pint:transactions:read

Read transaction history and receipts. When from_date / to_date are set, the API enforces them by rejecting any listing or detail request for a transaction outside the declared window.

Personalisation

sr:us:pint:personalization:read

  • Endpoints gated: /v0/insights/, /v0/rules/, /v0/budgets/
  • Params: none
  • Tier: Standard · KYC required:
Read AI-generated insights, user-defined rules, and budgets. No parameters — scope presence alone grants access to the full personalisation read surface.

Cards

sr:us:pint:cards:read

Read card details (last4, brand, status, funding wallet). Does not expose the card PAN or CVV — those are only surfaced via a separate, short-lived session.

sr:us:pint:cards:manage

State-change operations on an existing card. Excludes card creation and excludes any spend flow — sr:us:pint:cards:manage is strictly about card lifecycle, not value transfer.

Scope Validation

Scopes are validated at two points:
  1. Creation time (schema). When a Stamped Mandate is created at token exchange, every scope string is parsed and validated. Malformed grammar, unknown scope names, and malformed params are rejected before the Stamped Mandate is persisted.
  2. Enforcement time (semantic). When a request carries a PINT token, the gated endpoint enforces per-param limits (amount caps, asset match, provider match, date range, …) against the actual request.
Validation at both layers prevents malformed scopes from entering the system and prevents legitimate scopes from being used outside their declared envelope.

Error Codes

StatusCodeWhen
400PINT-400-003Scope parameter is malformed or violates its declared type / range (e.g. max=abc, provider=stripe). detail names the offending scope and param.
400PINT-400-004Scope name is not in the registry (not a recognised MVP scope). detail echoes the offending scope string.
400PINT-400-005Scope string does not conform to the grammar (wrong segment count, wrong scheme, malformed query). detail echoes the offending scope string.
403PINT-403-001The signer is not authorised for a requested scope, or the request omits a PINT token but carries a scope-gated endpoint invocation.
All error responses follow RFC 7807 Problem Details. See Errors for the full error catalog.

Scope Combinations

A single Stamped Mandate can request multiple scopes: 
{
  "scopes": [
    "sr:us:pint:identity:kyc_status",
    "sr:us:pint:spend:execute?max=10000000&asset=USDC@sei&chain_id=1329"
  ]
}
The resulting JWT will carry both scopes in its scopes claim, and the verification tier is the highest tier present — if any scope is Enhanced, the entire JWT is issued at Enhanced tier. Two scopes with the same name but different params (e.g. sr:us:pint:spend:execute?max=100000000 and sr:us:pint:spend:execute?max=200000000) are treated as distinct capability envelopes — both are retained in the signed array. Exact duplicates are collapsed.

Post-MVP Scopes

The following scopes are not yet generally available. They fall into two categories.

Reserved for future releases

These scopes are not in the registry today. Requesting any of them during token exchange is rejected with PINT-400-004.
ScopeStatus
sr:us:pint:wallets:readDeferred
sr:us:pint:personalization:writeDeferred
sr:us:pint:chat:readDeferred
sr:us:pint:chat:writeDeferred
sr:us:pint:identity:lookupDeferred

Registered but no enforcement site yet

These scopes are in the registry — requesting them parses successfully and they appear in the issued JWT — but no API endpoint consumes them yet.
ScopeStatus
sr:us:pint:accounts:transferRegistered, enforcement pending route landing (fiat → wallet transfer route not yet live)
Scope definitions are versioned alongside the EIP-712 specification. See EIP-712 & Purchase Intents for the canonical type definitions and SRI for the underlying URI family.