Expand description
Hierarchical namespace for object organization and authorization.
This module defines Scope (a single key-value pair like
organization=17) and Scopes (an ordered collection of scopes).
§Allowed characters
Scope keys and values must be non-empty and may only contain:
A-Z a-z 0-9 _ - ( ) $ ! + 'Characters used as delimiters are forbidden: . (storage path separator),
/ (path separator), = and ; (API path encoding).
§Ordering
Order matters — organization=17;project=42 and project=42;organization=17
identify different object namespaces because they produce different storage
paths.
§Purpose
Scopes serve several roles:
- Organization — they define a hierarchical folder-like structure
within a usecase. The storage path directly reflects the scope hierarchy
(e.g.
org.17/project.42/objects/{key}). - Authorization — JWT tokens include scope claims that are matched
against the request’s scopes. A token scoped to
organization=17can only access objects under that organization. - Compartmentalization — scopes isolate impact through rate limits and killswitches, guaranteeing quality of service between tenants.
§Display formats
Scopes have two display formats:
- Storage path (
Scopes::as_storage_path):org.17/project.42— used by backends to construct storage keys. - API path (
Scopes::as_api_path):org=17;project=42— used in HTTP URL paths (matrix URI syntax). Empty scopes render as_.
Structs§
- AsApi
Path - A view returned by
Scopes::as_api_path. - AsStorage
Path - A view returned by
Scopes::as_storage_path. - Scope
- A single scope value of an object.
- Scopes
- An ordered set of resource scopes.
Enums§
- Invalid
Scope Error - An error indicating that a scope is invalid, returned by
Scope::create.
Constants§
- EMPTY_
SCOPES - Used in place of scopes in the URL to represent an empty set of scopes.