Capabilities

Capability tokens replace API keys + OAuth scopes. Each one is a DID-signed grant scoped to a path pattern in your data — revoke any one and the holder is locked out instantly.

How scopes work: capability tokens scope by path pattern (per Data-Sovereignty-and-Grid-Auth.md §4.3) — not by flat application names. prefix grants access under a path; exact grants a single row; schema grants any row of a Grid-standard schema. Examples below.

Active capabilities4

CAP	KIND	SCOPE	GRANTED TO	ISSUED	EXPIRES
cap_8f4e2a	prefix	did:grid:mk/services/blog.grid/*	did:grid:nora	2026-03-12	2026-06-12
cap_92ab10	prefix	did:grid:mk/services/comments-store/*	did:grid:nora	2026-03-28	never
cap_110c3d	exact	did:grid:mk/services/summarizer/invoke	did:grid:agent-7f3e	2026-04-02	2026-05-02
cap_2fae88	prefix	did:grid:mk/services/app-api/*	did:grid:bcamp	2026-02-18	never

Apps you've connected from the Store hold their own capability tokens — manage those at Connected apps →.