Public read-only API + scoped tokens (OAuth) #186

Open
opened 2026-06-09 11:28:07 -04:00 by justin · 0 comments
Owner

Status: partial · Importance: High · Effort: L · Phase: 5–6

Bearer token is opaque session only; TokenPurpose lacks scopes; designed public.py never built.

Non-negotiable: Any scoped-token path routes through person_visibility + living-person redaction (NN#2/#3).


Area: API & extensibility · P1 / should-have. From the product backlog gap analysis (docs/BACKLOG.md).

**Status:** partial · **Importance:** High · **Effort:** L · **Phase:** 5–6 Bearer token is opaque session only; `TokenPurpose` lacks scopes; designed `public.py` never built. **Non-negotiable:** Any scoped-token path routes through `person_visibility` + living-person redaction (NN#2/#3). --- _Area: API & extensibility · P1 / should-have. From the product backlog gap analysis (docs/BACKLOG.md)._
justin added the type:securitypriority:P1moscow:shouldarea:apistatus:partial labels 2026-06-09 11:28:07 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: justin/provenance#186