…h app may define (in YAML) its own 'scopes' to control the available API endpoints. Additionally, each endpoint may include allowed verbs (e.g. GET/POST/PUT/DELETE). This makes it easy to offer read-only scopes to applications that don't need to modify data (e.g. knowledgebase search). When creating credentials for a new OAuth App, a default scopes policy is provided.