- Account capabilities — what your merchant account as a whole is allowed to do. Set by Anton as a commercial/risk decision.
- Credential scopes — what an individual OAuth client (or API key) is allowed to do within your account. Set by you when the credential is created.
The capability vocabulary
Every standard merchant account carries both capabilities, and every credential minted before scopes existed behaves as full-scope — nothing changes for existing integrations.
The AI-Compliance tier
Anton offers an AI-compliance-only tier: accounts provisioned withcapabilities = ["intelligence"] and no payout surface at all. These accounts buy Anton Intelligence — payee screening, instrument screening, onboarding risk, transaction-context evaluation — without moving money through Anton.
For a compliance-only account:
- Every payout-surface endpoint returns
403with codecapability_required. The account is structurally incapable of creating payouts, beneficiaries, instruments, batches, or FX exchanges. - The intelligence surface, dashboard, documents, RFIs, onboarding, team management, API credential management, audit log, and reference data (currencies, countries, payment methods) all work normally.
- Webhooks work normally. Subscriptions and deliveries are available on every tier — payout events simply never fire for an account that cannot create payouts.
- Credentials created under the account default to the
intelligencescope only.
POST /v1/intelligence/evaluations, read evaluations and evidence back under your own account.
To move between tiers (for example, adding payouts to a compliance-only account after underwriting), contact Anton via help.antonpayments.com. Capability changes take effect immediately — no token re-mint or credential rotation is required, because capabilities are evaluated per request against your account, not baked into tokens.
Credential scopes
Each OAuth client carries a scope set assigned at creation time:- Scopes must be a subset of your account’s capabilities at the moment of creation — a request for an out-of-capability scope is rejected.
- If you don’t specify scopes, the credential defaults to your account’s current capabilities (a compliance-only account’s default credential is
intelligence-only). - Scopes are immutable after creation. To change a credential’s scope, create a new credential and revoke the old one.
intelligence-only credential and your payment service a payouts credential, so a leaked compliance credential can never move money.
Scopes in tokens
Granted scopes are embedded in every access token as a space-delimitedscope claim (RFC 6749 §3.3) and echoed in the token response:
scope request parameter on POST /oauth/token — tokens always carry exactly the scopes the credential was created with.
Denial semantics
Both layers fail with403 and a stable code, checked in this order:
payouts-scoped credential on a compliance-only account receives capability_required, not insufficient_scope. Denials at either layer are recorded in your account’s audit trail.
Neither code is retryable — the same request will fail identically until the account capability or credential changes. See Errors.
What each surface requires
The interactive API reference marks payout-gated endpoints with a
403 capability_required response.