Permission Scoping

When a user authorizes a HYPLAY application through the OAuth flow, they approve a set of permissions, defined by the application developer.

By default, HYPLAY takes a deny-all approach to permission scoping. This means that if an applications wants to be able to transact with specific smart contracts, or transfer specific token amounts or NFTs on behalf of a user, they must explicitly declare this in their OAuth flow, and the user must approve this request for permissions.

Additionally, permissions are all or nothing. A user cannot approve some but deny other permissions during the OAuth flow. If they deny the authorization request during the OAuth flow, the user is redirected to the provided redirectUri with a ?error=cancelled appended to the redirect uri.

Requesting Permissions

Permissions are requested from a user at the time they go through your application's OAuth flow. The OAuth URL you construct, which redirects a user into your OAuth flow, includes a number of permission query parameters such as scope, nativeAllowance, erc20Allowances, and more. These parameters define the permissions you are requesting from the user. These permissions can be set statically or dynamically, all that matters is that at the point a user is redirected to your constructed OAuth url, the permissions defined in the query parameters represent the permissions that will be requested from the user for a session.

You can learn more about OAuth url construction and permission parameters here: OAuth URLs & URL Construction