daoflow capabilities

List all scopes granted to the current token, grouped by type.

Usage

daoflow capabilities [options]

Options

Flag	Description
`--json`	Structured JSON output

Required Scope

Any valid token.

Examples

daoflow capabilities --json

JSON Output

{
  "ok": true,
  "data": {
    "authMethod": "api-token",
    "role": "developer",
    "scopes": [
      "server:read",
      "deploy:read",
      "service:read",
      "env:read",
      "logs:read",
      "events:read",
      "deploy:start",
      "env:write"
    ],
    "token": {
      "id": "token_abc123",
      "name": "ci-deploy",
      "prefix": "dfl_ci_12ab",
      "expiresAt": "2026-06-01T00:00:00.000Z",
      "scopes": [
        "server:read",
        "deploy:read",
        "service:read",
        "env:read",
        "logs:read",
        "events:read",
        "deploy:start",
        "env:write"
      ]
    },
    "total": 8
  }
}

Agent Usage

Use capabilities before performing operations to check if your token has the required scopes. This prevents SCOPE_DENIED errors.

Terminal access is intentionally separate from normal deploy and log scopes. If a principal should open an interactive shell, terminal:open must appear explicitly in the reported capability list; having deploy:start or logs:read is not enough.

# Check if we can deploy
CAPS=$(daoflow capabilities --json)
echo $CAPS | jq '.scopes.write | index("deploy:start")'

Usage​

Options​

Required Scope​

Examples​

JSON Output​

Agent Usage​