Valid scopes for invenio tokens create

Hi to all,
what are the recognized scopes for invenio tokens create? (using v11.0)
I get ScopeDoesNotExists exception when attempting

invenio tokens create -n mytoken -u user@email -s “upload”
or other similar attempts;

also: what is the “-internal” option?

do you need to use scope for anything in particular? In general, there are no scopes defined at the moment. We discussed internally about this and we might add scopes in the future.

I thought that could be an alternative to the token created from the dashboard, where “user:email” is the only scope that can be selected.

In general, I’m interested at content upload capabilities.

Hey @dalpra , you are correct the token is selectable in the UI, but in reality as my colleague @nitarocc said, there is no scope based access control yet. You should be able to upload content with the issued token. Did you experience any particular problem?

Hi @zzacharo , probably i’m too inexperienced; an old zenodo instance has three selectable scopes:
deposit:actions, deposit:write, user:email.

with v11.0 however, only user:email appears; that made me think that capabilities were defined and considered. Maybe that part was customized in the old instance.

I succeded uploading via api to the old instance, and starting with now with the new one; I just found the “invenio token create” command line and was curious if it was equivalent the ones created from the web dashboard. Looks like yes, thought.

Hey @dalpra! The invenio token create command indeed creates the tokens you have seen in the old zenodo instance and also in the v11. What is missing now, is to connect any permission check with the existence of a specific scope. So, creating tokens now in reality doesn’t alter the access rules to a user. Did you manage to upload content also in the v11 or later RDM instance? Do you experience still problems uploading in your instance?